On 05/13/2013 12:47 PM, Thomas Delafosse wrote: > On Mon, May 13, 2013 at 6:24 PM, Sergiu Dumitriu <[email protected]> wrote: > >> On 05/13/2013 12:13 PM, Thomas Delafosse wrote: >>> I think it's more secure to let it be used only on the current user >> profile >>> page. Otherwise we can imagine an attacker creating a page where this >> check >>> is performed against the current user, enabling him to gain information >>> about the users visiting this page. >>> (For example he could do something like >>> #foreach($passwd in $passwdList) >>> #if($xwiki.getUser().checkPassword($passwd)) >>> Store this information somewhere (in another doc, in an object, or >>> even by sending me a mail) >>> #end >>> #end) >> >> This can still be done "apparently" in the context of the profile >> document using, for example, something like XWIKI-8885. This is just >> another inefficient hoop through which we force motivated attackers to >> go through, but which doesn't fix the security issue. >> > > You are right, there is currently ways to workaround this check. But I hope > that with Andreas' branch it would be harder to find such leaks, and anyway > it makes this attack available only to attackers having found these leaks. > Even if this is not perfect, I feel more comfortable this way. > > >> >> On the other hand, it restricts its usage to just one specific purpose, >> that of changing the password, when it could serve other useful (future) >> scenarios, like confirming some dangerous changes (signing a script, >> installing a XAR as backup package, permanently emptying the trash bins). >> > > I agree, it could be useful to check the password at some other points. So > what we could do is allow public check only from the user's profile page, > and PR check from any page. The issue with the change of password is that > the template doesn't have PR, but I guess that in the scenarios you > mention, this would be done from a normal wiki page, and thus we could ask > this page to have PR. What do you think ?
Agreed. > >> >>> And I don't think that users with PR need to be able to make this check >> on >>> any user (and if they need they can still perform it through the core), >> so >>> I prefer to keep it this way. >> >> Agreed. >> >>> Cheers, >>> >>> Thomas >>> >>> >>> On Mon, May 13, 2013 at 5:42 PM, Sergiu Dumitriu <[email protected]> >> wrote: >>> >>>> On 05/06/2013 09:44 AM, Thomas Delafosse wrote: >>>>> Hi all, >>>>> >>>>> After discussing it with Vincent, it seems that it would be better >> to >>>>> be able to access this method without PR : thus we could keep the code >>>> for >>>>> changing the password in passwd.vm instead of having to make a new page >>>>> with PR for that. To avoid malicious users to use it nonetheless, I >>>> propose >>>>> that this method could only be used to check the current user password, >>>> and >>>>> only on its profile page. >>>>> Does this seems OK to you, or do you think this should be done another >>>> way ? >>>> >>>> Why only on the user's profile page? >>>> >>>> The method could allow public check only for the current user, and PR >>>> check for any user. >> -- Sergiu Dumitriu http://purl.org/net/sergiu _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
