Wiki source code of Security

Last modified by Simon Urli on 2023/12/26

Hide last authors
Simon Urli 34.1 1 This page aims at listing the various security aspects an administrator needs to be aware of when dealing with XWiki. For all security decision a developer needs to take when writing scripts and extensions, you should have a look to [[the security page of the developer guide>>Documentation.DevGuide.Security.WebHome]].
2
Ricardo Rodríguez 9.1 3 {{box cssClass="floatinginfobox" title="**Contents**"}}
4 {{toc/}}
5 {{/box}}
Silvia Macovei 5.1 6
Simon Urli 26.1 7 = Security Policy =
8
9 XWiki security policy [[is detailed here>>dev:Community.SecurityPolicy.WebHome]].
10
Caleb James DeLisle 6.1 11 = Security related features =
Ricardo Rodríguez 9.1 12
Caleb James DeLisle 6.1 13 XWiki offers some features for protecting security and some features which have security implications.
vmassol 1.2 14
Caleb James DeLisle 6.1 15 == Admin password ==
Ricardo Rodríguez 9.1 16
Vincent Massol 26.2 17 If you've used the [[Standalone/Demo packaging>>Documentation.AdminGuide.Installation.InstallationStandalone.WebHome]] then a defaut administration user is pre-created for you:
Thomas Mortagne 29.2 18
Vincent Massol 26.2 19 * Username: ##Admin##
20 * Password: ##admin##
Vincent Massol 2.1 21
Vincent Massol 26.2 22 Note: You could also remove that user but first you need to make sure it's not used as author of any page as it might create issue otherwise (some standard pages require their author to have enough right to be taken into account).
Thomas Mortagne 13.1 23
Vincent Massol 26.2 24 If you've used any other packaging to install XWiki, the [[Distribution Wizard>>Documentation.UserGuide.Features.DistributionWizard]] asks you to create an administration account and you get to choose the username and password.
25
Caleb James DeLisle 6.1 26 == Superadmin account ==
Ricardo Rodríguez 9.1 27
Vincent Massol 13.2 28 XWiki provides a ##superadmin## account. It is special, because:
Thomas Mortagne 13.1 29
Sergiu Dumitriu 1.3 30 * It is not stored in the database
31 * It cannot be modified in any way
32 * It always has full access, regardless of the rights settings
33
Silvia Macovei 5.1 34 {{warning}}
Manuel Smeria 12.5 35 Because the Superadmin account is so powerful, it is not safe to leave it enabled for a long time.
Silvia Macovei 5.1 36 {{/warning}}
Sergiu Dumitriu 1.5 37
Manuel Smeria 12.5 38 By default, this account is disabled. To enable it, you have to edit ##<xwiki-dir>/WEB-INF/xwiki.cfg##, uncomment the ##xwiki.superadminpassword=system## line and set a proper password. To disable it, just comment this line. Remember to restart the servlet container after changing ##xwiki.cfg##.
Sergiu Dumitriu 1.3 39
Silvia Macovei 5.1 40 {{info}}
41 Using this superadmin account is useful when you cannot log in anymore, for example when you forgot your admin user password, if you messed up some rights or if you have deleted your admin user by mistake.
42 {{/info}}
Vincent Massol 1.4 43
Caleb James DeLisle 6.1 44 == Cookies ==
Ricardo Rodríguez 9.1 45
Vincent Massol 29.1 46 XWiki uses several cookies on the user's machines. For example, XWiki identifies users who have already logged in by setting cookies. These can be the target of attacks.
vmassol 1.1 47
Vincent Massol 29.1 48 === Cookies List ===
49
50 This is the full list of Cookies used by XWiki core (if you install Extensions, they may define their own cookies and you would need to refer to their documentation).
51
52 |= Cookie name|=Content|=Path|=Domain|=Max age|=Is Secure?|=Usage
Vincent Massol 30.1 53 |##JSESSIONID##|Unique number representing the Session|##/##|Web site domain|Session duration (30mn by default, can be configured in ##web.xml##)|No|Session cookie created by the Servlet Container
Vincent Massol 32.1 54 |##ckCsrfToken##|Unique number (CSRF Token)|##/##|Web site domain|Session duration (30mn by default, can be configured in ##web.xml##)|Yes|Created by CKEditor. The CSRF token can be used to secure the communication between the web browser and the server, i.e. for the file upload feature in the editor. However XWiki doesn't use it as it has its own CSRF token mechanism.
Vincent Massol 29.1 55 |##language##|Current user locale|##/##|Not set|10 years|No|Remember the locale used
56 |##interfacelanguage##|The interface language used for the current user|##/##|Not set|10 years|No|Remember the UI language used
57 |##visitid##|Random alphanumeric value of 32 characters|##/##|A value from the comma-separated list from the ##xwiki.authentication.cookiedomains## config parameter, if it matches the server name|Difference between 1 Jan 2030 and current date|No|To uniquely recognize the user when computing visit stats. Note that the stats feature is deprecated and turned off.
58 |##[xwiki.authentication.cookieprefix]username##|The protected user name (i.e. encrypted using ##[xwiki.authentication.encryptionKey]## if ##xwiki.authentication.protection## is set)|##[xwiki.authentication.cookiepath]## or ##/## if not set|##[xwiki.authentication.cookiedomains]## matching the server name of ##/## if not set or no match|##[xwiki.authentication.cookielife]## (in days) or 15 days if not set, or until browser shutdown if "remember me" is not checked|Yes if request is using HTTPS|Remember me (if external authentication is used, this cookie may not be used). If ##xwiki.authentication.cookieprefix## is not set, then an empty string is used.
59 |##[xwiki.authentication.cookieprefix]password##|The protected password(i.e. encrypted using ##[xwiki.authentication.encryptionKey]## if ##xwiki.authentication.protection## is set)|##[xwiki.authentication.cookiepath]## or ##/## if not set|##[xwiki.authentication.cookiedomains]## matching the server name of ##/## if not set or no match|##[xwiki.authentication.cookielife]## (in days) or 15 days if not set, or until browser shutdown if "remember me" is not checked|Yes if request is using HTTPS|Remember me (if external authentication is used, this cookie may not be used). If ##xwiki.authentication.cookieprefix## is not set, then an empty string is used.
60 |##[xwiki.authentication.cookieprefix]rememberme##|True if remember me is checked, false otherwise|##[xwiki.authentication.cookiepath]## or ##/## if not set|##[xwiki.authentication.cookiedomains]## matching the server name of ##/## if not set or no match|##[xwiki.authentication.cookielife]## (in days) or 15 days if not set, or until browser shutdown if "remember me" is not checked|Yes if request is using HTTPS|Remember me (if external authentication is used, this cookie may not be used). If ##xwiki.authentication.cookieprefix## is not set, then an empty string is used.
61 |##[xwiki.authentication.cookieprefix]validation##|MD5 hash based on the protected username, protected password and the IP addres (if ##xwiki.authentication.useip## is set)|##[xwiki.authentication.cookiepath]## or ##/## if not set|##[xwiki.authentication.cookiedomains]## matching the server name of ##/## if not set or no match|##[xwiki.authentication.cookielife]## (in days) or 15 days if not set, or until browser shutdown if "remember me" is not checked|Yes if request is using HTTPS|Remember me (if external authentication is used, this cookie may not be used). If ##xwiki.authentication.cookieprefix## is not set, then an empty string is used.
62
63 Legend help:
Thomas Mortagne 29.2 64
Vincent Massol 29.1 65 * If "Is Secure?" is true, it means that the cookie is only sent when HTTPS is used.
66
Thomas Mortagne 29.2 67 === Cookie Encryption Keys ===
Ricardo Rodríguez 9.1 68
Ecaterina Moraru (Valica) 21.4 69 When a user logs in, three cookies are saved on his machine containing the username, password and a "nothing up my sleeve" hash. The cookies are encrypted so that nobody having access to them can see the username/password. This encryption is done using 2 configuration parameters located in the //xwiki.cfg// configuration file. This file is located in //WEB-INF/// in the XWiki WAR (see the [[Installation guide>>Documentation.AdminGuide.Installation]] for where it's installed).
Thomas Mortagne 29.2 70
71 {{version before="15.9, 15.5.4, 14.10.19"}}
Ecaterina Moraru (Valica) 21.4 72 It's important you edit the //[[xwiki.cfg>>Documentation.AdminGuide.Configuration#HSamplexwiki.cfg]]// file to modify the cookie authentication and encryption keys as they use default values when you install XWiki and these predefined values could be used by an attacker to decipher the username and password. To prevent this, change the following 2 configuration parameters:
Thomas Mortagne 13.1 73
Silvia Macovei 5.1 74 * //xwiki.authentication.validationKey//
75 * //xwiki.authentication.encryptionKey//
Thomas Mortagne 29.2 76 {{/version}}
vmassol 1.1 77
Vincent Massol 22.1 78 See the [[Authentication parameters section>>Documentation.AdminGuide.Authentication.WebHome#HAuthenticationparameters]] for more details.
Caleb James DeLisle 6.1 79
80 === Encrypt cookies using IP address ===
Ricardo Rodríguez 9.1 81
Vincent Massol 23.2 82 Even if the password cannot be extracted from the cookie, the cookies might be stolen (see [[XSS>>Documentation.AdminGuide.Security#HCrossSiteScripting]]) and used as they are. To limit this by default, the cookies are blocked from being used except by the same IP address that was used to create them.
Caleb James DeLisle 6.1 83
Vincent Massol 23.2 84 You can disable this by setting the [[##xwiki.cfg##>>Documentation.AdminGuide.Configuration#HSamplexwiki.cfg]] parameter ##xwiki.authentication.useip## to false.
85
Alex Busenius 7.1 86 == Override version information ==
87
Ecaterina Moraru (Valica) 20.1 88 By default, the exact XWiki version is shown in the footer of every page. This is not harmful by itself, but can provide useful information to the attacker, who can use known vulnerabilities against this version.
Alex Busenius 7.1 89
Simon Urli 23.3 90 You can change the version string shown in the footer using the [[Administration Application>>extensions:Extension.Administration Application]]. Click on the ##Presentation## icon and change the version string in the //Version// field. Please note that with this solution, the version can still be find through a REST request on the wiki.
Alex Busenius 7.1 91
Manuel Smeria 12.5 92 If you want to be sure the version is definitely not leaked somewhere else, you can replace the file //WEB-INF/version.properties// by your own version with the following content: {{code}}version=your version string here{{/code}}.
Alex Busenius 7.1 93
Vincent Massol 33.1 94 = Antivirus =
95
96 There's an [[Antivirus Application>>https://store.xwiki.com/xwiki/bin/view/Extension/AntivirusApplication/]] developed by a sponsoring company offering scanning for antivirus when attaching files to wiki pages.
97
Caleb James DeLisle 6.1 98 = Discussion of attack vectors =
Ricardo Rodríguez 9.1 99
Caleb James DeLisle 6.1 100 Perfect security is generally considered impossible. With simple static HTML servers we can have near perfect security but those are not very useful. This document discusses different threat models and how to fortify against each. These attacks are grouped by type of access gained if successful. More dangerous attacks are near the top yet the most common attacks are less dangerous (and easier to perform) and will be seen at the bottom.
101
102 == Server root attacks ==
Ricardo Rodríguez 9.1 103
Caleb James DeLisle 6.1 104 This attack is characterized by assent of power in the operating system and is largely beyond the scope of this document as it is the responsibility of the operating system to prevent users ascending power.
105
106 === Likelihood / Known Issues ===
Ricardo Rodríguez 9.1 107
Caleb James DeLisle 6.1 108 Not a very common attack method.
109
110 === Mitigation Methods ===
Ricardo Rodríguez 9.1 111
Caleb James DeLisle 6.1 112 * Run a decent operating system
Manuel Smeria 12.5 113 * Run the Java VM with XWiki under its own username, only give this user permissions to files needed for the operation of XWiki and make sure this user doesn't have sudo access
Caleb James DeLisle 6.1 114 * Don't run extraneous processes on the server
115 * Run services on non-standard ports (ssh)
116 * Firewall all ports not explicitly needed
117
118 == Java VM attacks ==
Ricardo Rodríguez 9.1 119
Caleb James DeLisle 6.1 120 This attack is characterized by the attacker running arbitrary code on Java and perhaps using Java level security flaws to execute native code thus gaining access in the user level of the Java VM process.
121
122 === Likelihood / Known Issues ===
Ricardo Rodríguez 9.1 123
Manuel Smeria 12.5 124 * XWiki requires reflection of private fields and variables for the [[component module>>extensions:Extension.Component Module]] This means that jsr223 scripts such as Groovy and Python are able to read and write any field or variable in the system which may lead to execution of native code via Java Native Access. Virtual wikis are not insulated against this attack method and as such virtual wiki administrators cannot be given programming permission (note that there is another reason for not giving wiki admin programming rights in a farm, it is because you may access any document without rights being checked, even in another wiki). This flaw could lead to dumping of connected databases, however user passwords are SHA-512 hashed (see [[this issue>>http://jira.codehaus.org/browse/GROOVY-1875]] for more details.
125 ** This attack method requires the use of a registered username which has programming rights
Caleb James DeLisle 6.1 126
127 === Mitigation Methods ===
Ricardo Rodríguez 9.1 128
Manuel Smeria 12.5 129 * Enable a SecurityManager which peeks at the calling stack and only allows unchecked reflection if called by the component manager
130 * Disable Groovy entirely
131 * Guard programming rights closely, have a special username just for saving documents which contain approved Groovy scripts
Caleb James DeLisle 6.1 132
133 == Database Injection attacks ==
Ricardo Rodríguez 9.1 134
Caleb James DeLisle 6.1 135 Such an attack happens from inside of unsafe scripting and results in unintended information being given up by the database.
136
137 === Likelihood / Known Issues ===
Ricardo Rodríguez 9.1 138
Caleb James DeLisle 6.1 139 * XWiki uses Hibernate as a database controller so some of the injection methods are mitigated. XWiki gives you the capability to create safe scripts and unsafe scripts.
140 ** This attack method may often be performed without a registered username.
141
142 === Mitigation Methods ===
Ricardo Rodríguez 9.1 143
Thomas Mortagne 13.1 144 * You can use this groovy snippet to test your database to see if it supports [[stacked queries>>http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/#StackingQueries]]. If your database does not support stacked queries, injection in a SELECT query can only lead to additional arbitrary SELECT queries:(((
Ricardo Rodríguez 9.1 145 {{code language="java"}}
Caleb James DeLisle 6.1 146 {{groovy}}
147 try {
148 session = xcontext.getContext().getWiki().getHibernateStore().getSessionFactory().openSession();
149 session.connection().createStatement().execute("begin transaction; rollback;");
150 println("Your database supports stacked queries.")
151 } catch (Exception e) {
152 println("Your database does not support stacked queries.");
153 } finally {
154 try {
155 session.close()
156 } catch (Exception e) {}
157 }
158 {{/groovy}}
159 {{/code}}
Manuel Smeria 12.5 160 )))
161 * Configure your database to log or if possible disable comment syntax {{code language="none"}} -- /* */ and # {{/code}}. Comments are not used by Hibernate and are central to most of the more dangerous SQL injection.
162 * When designing scripts avoid the temptation to concatenate user input into database queries
Caleb James DeLisle 6.1 163
164 **WRONG:**
165
166 {{code}}
167 #set($x = $xwiki.searchDocuments("where doc.fullName = '${userContent}'"))
168 {{/code}}
169
Manuel Smeria 12.5 170 If the user enters: {{code}} ' or doc.hidden = 1 or doc.fullName = ' {{/code}} your code will create the Hibernate query: {{code language="sql"}}where doc.fullName = '' or doc.hidden = 1 or doc.fullName = ''{{/code}}.
Caleb James DeLisle 6.1 171
172 This may not be a horrible outcome but it is not what you wanted and others surely can invent far more dangerous injections than this.
173 Fortunately Hibernate itself protects against the worst type of injection such as:
174
Ricardo Rodríguez 9.1 175 {{code language="sql"}}
Caleb James DeLisle 6.1 176 Embarrassing Mistake'); DROP TABLE xwikidoc;--
177 {{/code}}
178
Manuel Smeria 12.5 179 This is because it does not allow multiple commands in one call and does not allow the ~-~- comment syntax (can be bypassed in some versions; see above).
Caleb James DeLisle 6.1 180
Manuel Smeria 12.5 181 **RIGHT:**
Caleb James DeLisle 6.1 182
183 {{code}}
184 ## We are passing a ? in the query and then passing the parameter as a list (Velocity notation for list is [element, element] )
185 #set($x = $xwiki.searchDocuments("where doc.fullName = ?", [$userContent]))
186 {{/code}}
187
188 Your code will now instruct Hibernate to name the userContent parameter and pass it to the database separately from the query. The above injection trick will not work.
189
Manuel Smeria 12.5 190 * Avoid "Privileged API" whenever possible and only use non API when absolutely necessary. If each of your calls requires you to pass the context as a parameter, you're doing it wrong.
Caleb James DeLisle 6.1 191
Thomas Mortagne 27.1 192 For more information check the [[XWiki API Reference>>Documentation.DevGuide.API]].
Caleb James DeLisle 6.1 193
194 == Cross Site Scripting ==
Ricardo Rodríguez 9.1 195
Caleb James DeLisle 6.1 196 Cross site scripting or XSS is the least harmful to the server of all attack methods, however it is the most common.
Manuel Smeria 12.5 197 XSS can lead to users altering documents which they didn't want to or having their authentication cookies copied. XSS can also lead to exploitation of web browsers and plugins such as pdf or ActiveX. Such exploits often install malware.
Caleb James DeLisle 6.1 198
199 === Attack vectors (persistent injection) ===
Ricardo Rodríguez 9.1 200
Caleb James DeLisle 6.1 201 Persistent injection is characterized by saving content in the system which when loaded by the unwitting user, executes as javascript in their browser. This is the more dangerous variety because it sits in a page waiting for a victim.
202
203 1. Persistent injection through XWiki document content by editing the document.
204 2. Persistent injecting through comments.
205
206 ==== Likelihood / Known Issues ====
Ricardo Rodríguez 9.1 207
Caleb James DeLisle 6.1 208 * XWiki syntax 1.0 does not filter out HTML so script injection is possible
Thomas Mortagne 17.1 209 * XWiki syntax 2.0 contains html macro which when invoked allows injection of raw html and script. There is still no safe way to disable this (see [[this issue>>https://jira.xwiki.org/browse/XWIKI-3953]] for more information.
Manuel Smeria 12.5 210 ** This attack method requires the attacker to have a registered username (unless anonymous editing or commenting is allowed).
Caleb James DeLisle 6.1 211
212 ==== Mitigation Methods ====
Ricardo Rodríguez 9.1 213
Thomas Mortagne 13.1 214 * The only way to be sure that script cannot be injected in content (xwiki/1.0 or xwiki/2.0) is to make that content completely passive as follows:(((
Caleb James DeLisle 6.1 215 {{code}}
216 {{html}}
217 $escapetool.html($userContent)
218 {{/html}}
219 {{/code}}
Thomas Mortagne 13.1 220 )))There are however some methods to minimize the risk:
Manuel Smeria 12.5 221 * Disable creation of syntax 1.0 pages. **NOTE**: Pages which are already written in syntax 1.0 can still be altered and should be updated to syntax 2.0, otherwise they must have edit permission locked down so that only authorized users may edit them.
222 * Force unauthorized users to post through a script which escapes //~{~{// (double squigly brackets) because there is currently no way to prevent injection of html macro for unauthorized users.
223 * Set up ObservationManager to scan all page content and object property updates for HTML macro invocation and alert a moderator.
Ricardo Rodríguez 9.1 224
Caleb James DeLisle 6.1 225 === Attack vectors (reflective injection) ===
Ricardo Rodríguez 9.1 226
Caleb James DeLisle 6.1 227 Reflective injection is characterized by convincing a user to click on a specially crafted link which causes a page to generate javascript.
228
229 1. Reflective injection through form fields.
230
231 ==== Mitigation Methods ====
Ricardo Rodríguez 9.1 232
Manuel Smeria 12.5 233 Advise admins to use addons such as [[noscript>>https://addons.mozilla.org/en-US/firefox/addon/noscript/]] which will detect reflective injection attacks and warn the user when it suspects foul play and also avoid clicking on suspicious links.
Caleb James DeLisle 6.1 234
Manuel Smeria 12.5 235 * when content is loaded from request parameters into a form field, make sure it is escaped using [[EscapeTool>>http://velocity.apache.org/tools/devel/generic/EscapeTool.html]]
Caleb James DeLisle 6.1 236
237 **WRONG:**
238
Ricardo Rodríguez 9.1 239 {{code language="xml"}}
Caleb James DeLisle 6.1 240 <input type=text value="$request.get('name')" />
241 {{/code}}
242
243 **RIGHT:**
244
Ricardo Rodríguez 9.1 245 {{code language="xml"}}
Caleb James DeLisle 6.1 246 <input type=text value="$escapetool.html($request.get('name'))" />
247 {{/code}}
248
249 == Cross site request forgery (CSRF) ==
Ricardo Rodríguez 9.1 250
Caleb James DeLisle 6.1 251 The basis of this attack is that a foreign website can craft a malicious link or form which points to the save action in your system and when clicked by a logged in user will cause the user to save the page.
252
253 === Likelihood / Known Issues ===
Ricardo Rodríguez 9.1 254
Manuel Smeria 12.5 255 Currently there is no system implemented to prevent form submission from external sites. See discussion in mailing list about implementing [[secret tokens>>http://lists.xwiki.org/pipermail/devs/2010-March/017727.html]].
Caleb James DeLisle 6.1 256
257 === Mitigation Methods ===
Ricardo Rodríguez 9.1 258
Manuel Smeria 12.5 259 Advise admins to use addons such as [[noscript>>https://addons.mozilla.org/en-US/firefox/addon/noscript/]] which will help prevent automatic form submission by an attack site and also avoid clicking on suspicious links.
Vincent Massol 19.1 260
Vincent Massol 19.2 261 = Advisory Notices =
Vincent Massol 19.1 262
263 Here's a list of sites offering security advisory notices about XWiki:
Ecaterina Moraru (Valica) 20.1 264
Vincent Massol 19.1 265 * [[nvd.nist.gov>>https://nvd.nist.gov/vuln/search/results?adv_search=false&form_type=basic&results_type=overview&search_type=all&query=xwiki]]
266 * [[www.cvedetails.com>>http://www.cvedetails.com/product/6856/Xwiki-Xwiki.html?vendor_id=3885]]
267 * [[vuldb.com>>https://vuldb.com/fr/?search]] (need to search for ##xwiki##)
268 * [[vulners.com>>https://vulners.com/search?query=xwiki]]

Get Connected