Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 18.0.0-rc-1, 17.10.3, 17.4.9, 16.10.17
Affects Version/s: 4.2-milestone-2
Component/s: Classloader
Labels:

Tests:

Unit, Integration
Difficulty:
Unknown
Documentation:
https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-xq3r-2qv5-vqqm
Documentation in Release Notes:
N/A
Similar issues:

Description

The fix for CVE-2025-55748 is insufficient, allowing for path traversal via the "resource" parameter to retrieve sensitive configuration files.

An example payload which could be used to access the config file (containing the superadmin password) is /bin/jsx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg

The fix included in the ClassLoaderUtils.java resolveResourceName method is incomplete.


    private static String resolveResourceName(String prefixPath, String resourcePath)
    {
        String fullPath;
        if (StringUtils.isEmpty(prefixPath)) {
            fullPath = resourcePath;

            // Prevent access to resources from other directories
            // TODO: find or implement something closed to Servlet ClassLoader behavior to be as accurate as possible
            // and be able to reuse the normalized result
            Path normalizedResource = Paths.get(fullPath).normalize();
            if (normalizedResource.startsWith("../")) {
                throw new IllegalArgumentException(String.format(
                    "The provided resource name [%s] is trying to navigate out of the mandatory root location",
                    resourcePath));
            }
        } else {
            fullPath = prefixPath + resourcePath;

            // Prevent access to resources from other directories
            // TODO: find or implement something closed to Servlet ClassLoader behavior to be as accurate as possible
            // and be able to reuse the normalized result
            Path normalizedResource = Paths.get(fullPath).normalize();
            if (!normalizedResource.startsWith(prefixPath)) {
                throw new IllegalArgumentException(String.format(
                    "The provided resource name [%s] is trying to navigate out of the mandatory prefix [%s]",
                    resourcePath, prefixPath));
            }
        }

        // We cannot sent back the normalized version as it might produce a result which is not compatible with the
        // ClassLoader (for example, on Windows Path#normalize() is replacing all "/" by "\", which is not a path
        // separator in ClassLoader)

        return fullPath;
    }

Submitting a payload starting with "/" instead of a "../" sequence does not trigger the path traversal exception. However, after the checks, the method returns fullPath instead of the normalized normalizedResource, which results in the same vulnerability as before.

Useful resources:

https://jira.xwiki.org/browse/XWIKI-23109 - the original Jira issue
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m63c-3rmg-r2cf - the mentioned CVE advisory

Attachments

Issue Links

is related to

XWIKI-23109 Configuration files can be accessed through jsx and sx endpoints

Closed

Activity

People

Assignee:: Thomas Mortagne

Reporter:: Michał

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 15/Jan/26 15:10

Updated:: Yesterday 09:54

Resolved:: 16/Jan/26 12:46

Date of First Response:: 15/Jan/26 6:05 PM