Impact
- Create a blank XWiki instance and install the latest version of the URL shortener
- Use the following command to create a new page :
curl -X POST -k -i 'http://localhost:8080/rest/p/create?currentDocRef=xwiki:caubin.test.WebHome'
When calling this URL, the URL Shortener will actually create the document xwiki:caubin.test.WebHome and add a Short URL object to it.
We observe that any user (even guests) can create these docs, even if they don't exist already. This can enable guest users to denature the structure of wiki pages, by creating 1000's of pages with random name, that then become very difficult to handle by admins.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
We're not aware of any workaround except upgrading.
References
Are there any links users can visit to find out more?
To solve this issue, we could think about two fixes :
- Test if the document already exists before creating the short URL
- If possible, check for validity of a CSRF token before creating the short URL
Impact
curl -X POST -k -i 'http://localhost:8080/rest/p/create?currentDocRef=xwiki:caubin.test.WebHome'When calling this URL, the URL Shortener will actually create the document xwiki:caubin.test.WebHome and add a Short URL object to it.
We observe that any user (even guests) can create these docs, even if they don't exist already. This can enable guest users to denature the structure of wiki pages, by creating 1000's of pages with random name, that then become very difficult to handle by admins.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
We're not aware of any workaround except upgrading.
References
Are there any links users can visit to find out more?
To solve this issue, we could think about two fixes :