-- Ricardo Rodríguez Research Management and Promotion Technician Health Research Institute of Santiago de Compostela (IDIS) http://www.idisantiago.es ________________________________________ From: users-boun...@xwiki.org [users-boun...@xwiki.org] On Behalf Of Sergiu Dumitriu [ser...@xwiki.com] Sent: 13 February 2012 23:22 To: XWiki Users Subject: Re: [xwiki-users] security breach?
On 02/13/2012 05:08 PM, ricardo.julio.rodriguez.fernan...@sergas.es wrote: > > -- > Ricardo Rodríguez > Research Management and Promotion Technician > Health Research Institute of Santiago de Compostela (IDIS) > http://www.idisantiago.es > ________________________________________ > From: users-boun...@xwiki.org [users-boun...@xwiki.org] On Behalf Of Vincent > Massol [vinc...@massol.net] > Sent: 13 February 2012 18:09 > To: XWiki Users > Subject: Re: [xwiki-users] security breach? > > On Feb 13, 2012, at 5:47 PM,<ricardo.julio.rodriguez.fernan...@sergas.es> > <ricardo.julio.rodriguez.fernan...@sergas.es> wrote: > >> Hi! >> >> Under certain circunstances I'm not able to identify, even though a given >> I've no access to a given XWiki page, it is possible to access/download >> their attached files provided you know their URLs. >> >> Please, could you figure out why this could happen? Thanks! > >>> Can you reproduce it? And if so, can we get access to a page showing the >>> symptom or could you tell us how to reproduce? >>> >>> Without more details it's going to be hard to figure out. >>> >>> Thanks >>> -Vincent > > Hi, Vincent, > > No, I've not been able to reproduce it yet. The issue arose sometime ago when > an user claims that a paper of him, ready to be published by a first line > magazine, appears indexed by Google even though it was theoretically > protected within a XWiki installation. Please, check this: > > http://atrium_km.idisantiago.es/bin/Project/Transcan2012 - you must be > required to identify > > http://atrium_km.idisantiago.es/bin/download/Project/Transcan2012/S28BW.numbers.png > - at least from my browsers here, this image is freely accessible... some > cache related issue? > > http://atrium_km.idisantiago.es/bin/download/Project/Transcan2012/idisMotto.png > - you are required to identiy; this file is attached to the same page! >>>> I'm prompted for a login for both images. Try to clear your browser >>>> cache and see if you can still see the image. Even clearing the cache the image keep being accessible... it seems them most as a browser related issue instead of an XWiki issue!! If you are prompted for a password in both cases, it is working as expected. >>>> >>>> Are you sure that Google got the paper from that page? Are you sure it >>>> didn't get it at a time when the document was freely accessible? Google points to the location of the file on our server. But I can't be absolutely sure about the fact of had restricted access to the attached file at time 0. This remembers me an old proposal of having a switch that allow than in a given installation access to a new page/space is restricted to the creator until he/she explicitely grant access to another user or group of users. This could be useful when working in an environment where security is critical and an error like the one it seems I committed exposes contents not intented to free access by default. Please, what do you think? Thanks!! > Vincent, do you remember your account at EPEC Network? Atrium_KM is now the > controller of the whole farm. I've chaged eBioTIC. look and feel to fit the > image requirements of this new initiative. I do hope I'll be able to get it > bak ASAP! I've created a new account for you there and I'm sending you a new > password. > > Thanks! > > Ricardo > >> This is causing me some serious problems here. Running XWiki Enterprise >> 2.4.30451. >> >> Greetings! >> >> Ricardo >> >> -- >> Ricardo Rodríguez >> Research Management and Promotion Technician >> Health Research Institute of Santiago de Compostela (IDIS) >> http://www.idisantiago.es >> >> Nota: A información contida nesta mensaxe e os seus posibles documentos >> adxuntos é privada e confidencial e está dirixida únicamente ó seu >> destinatario/a. Se vostede non é o/a destinatario/a orixinal desta mensaxe, >> por favor elimínea. A distribución ou copia desta mensaxe non está >> autorizada. >> >> Nota: La información contenida en este mensaje y sus posibles documentos >> adjuntos es privada y confidencial y está dirigida únicamente a su >> destinatario/a. Si usted no es el/la destinatario/a original de este >> mensaje, por favor elimínelo. La distribución o copia de este mensaje no >> está autorizada. >> >> See more languages: http://www.sergas.es/aviso_confidencialidad.htm -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users Nota: A información contida nesta mensaxe e os seus posibles documentos adxuntos é privada e confidencial e está dirixida únicamente ó seu destinatario/a. Se vostede non é o/a destinatario/a orixinal desta mensaxe, por favor elimínea. A distribución ou copia desta mensaxe non está autorizada. Nota: La información contenida en este mensaje y sus posibles documentos adjuntos es privada y confidencial y está dirigida únicamente a su destinatario/a. Si usted no es el/la destinatario/a original de este mensaje, por favor elimínelo. La distribución o copia de este mensaje no está autorizada. See more languages: http://www.sergas.es/aviso_confidencialidad.htm _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
