Summary

Users with just edit right can access restricted PDF attachments using the PDF Viewer macro, just by passing the attachment URL as the value of the file parameter.

Users with just view right can access restricted PDF attachments if they are shown on public pages where the PDF Viewer macro is called using the attachment URL instead of its reference.

Details

A user with edit right can create a new page or edit an existing one and call the PDF Viewer macro using the URL of a restricted PDF attachment. The URL of a restricted PDF attachment can be obtained from the Page Index, Attachments tab. Even if the UI shows N/A, the user can inspect the page and check the HTTP request that fetches the live data entries. The attachment URL is available in the returned JSON for all attachments, including protected ones.

A user with view right could search for pages where the PDF Viewer macro is used. They could even try to find pages where the value of the file parameter is a URL (starts with http), rather than an attachment reference. If they're lucky they may find one such macro call where the displayed PDF attachment is protected.

Impact

• High: on private wikis (e.g. intranets), users with edit right can access sensitive / confidential information from PDF files attached to wiki pages
• Low: on public wikis, guest users can access sensitive information if private PDF files are displayed on public pages using the attachment URL (displaying private PDF files on public pages is not common, and using the attachment reference is the recommended way to specify the PDF file, but nevertheless, some users are lazy and just copy & paste the PDF attachment URL when inserting a PDF Viewer macro).

References

Issue link: #49