On 17 Dec 2015 at 14:17:02, vinc...@massol.net
(vinc...@massol.net(mailto:vinc...@massol.net)) wrote:
> Hi XWiki users and devs,
>
> An important security issue in the XML-RPC module of XWiki
> (http://extensions.xwiki.org/xwiki/bin/view/Extension/XML-RPC+Integration)
> was brought to our attention by a community member (thanks Ruben Herold).
> Specifically if your wiki is available on the internet, it’s possible that an
> intruder may have had access to local files that can be read by the user
> under which you’ve started the Servlet Container used for XWiki.
>
> Note 1: The issue actually comes from the version of the Apache XMLRPC module
> we were using (https://ws.apache.org/xmlrpc/). It’s been fixed in the latest
> version (3.1.3). We were using version 3.1.
>
> Note 2: ThE XWiki XMLRPC module has been deprecated for a long time now (was
> replaced by REST) but it was still enabled till XWiki 7.3M1:
> * In XWiki 7.3M1 we’ve turned off that feature
> * In XWiki 7.4M2 we’ve removed it altogether by default
>
> We recommend that you either upgrade to XWiki 6.4.7, 7.1.4 or 7.3+ or that
> you turn-off the XML-RPC feature on your wiki **especially if your wiki is
> open on the internet**.
>
> Turning it off is easy: edit XWiki’s META-INF/web.xml file and comment out or
> remove the following sections:
Correction:
it’s WEB-INF/web.xml
Thanks
-Vincent
> ...
>
_______________________________________________
devs mailing list
devs@xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
