On Mon, Feb 23, 2009 at 2:08 AM, Niels Mayer <[email protected]> wrote: > In XWiki 1.8RC1, this "security issue" doesn't seem to be the case by > default.
I'll check that. I realized I wrote a mistake in the first sentence. I didn't see the problem of code being shown or something like that, but when I call the resetPassword function, the system show the _Email_ address of the username for whom I call the resetpassword. And because anybody can call this function for any user, as well as, in the default setting, and for password reset and other things to work properly, the pages that show all usernames are viewable by unregistered users, people can harvest email addresses from all users on the wiki. But yes, The code viewing and execution stuff is interesting for other threads I started these days and for the general idea that I usuall don't like to make the whole XWiki space viewable by unregistered users. Henning _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
