Uploaded image for project: 'Blog Application'
  1. Blog Application
  2. BLOG-191

Privilege escalation (PR) from account through blog content

    XMLWordPrintable

Details

    • Unit
    • High
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. Log in as an unprivileged user (no edit rights besides user account) on a wiki where the blog application has been installed with programming rights.
      2. Change the user preferences to advanced user
      3. Edit the user profile with the object editor
      4. Add an object of type "Blog.BlogPostClass"
      5. Set the content of the blog post to
        {{groovy}}
        println("Hello from Groovy Blog post!")
        {{/groovy}}
        
      6. Click "Save & View"

      Expected result:

      An error is displayed that the groovy script macro is not allowed.

      Actual result:

      The text "Hello from Groovy Blog post!" is displayed.

      This shows a privilege escalation from a simple account to programming rights. I've reproduced this issue on XWiki 5.1 with the bundled blog application and on XWiki 14.5 with the current (9.11.5) blog application installed by a user with programming rights.

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: