Steps to reproduce:
- As an admin, create a document "Secret.WebHome" with "Secret content" and restrict access to admins by setting a view right for the admin group.
- As an admin with programming rights, create a document "Including.WebHome" with content
- As user without script or programming right, create a document "Included.WebHome" with content
- Open the document "Including.WebHome"
There are errors displayed because the user cannot view the "Secret" document and cannot execute a Groovy macro.
A footnote with content
This demonstrates both a privilege escalation to programming rights as well as a data leak as the footnote macro allows executing macros with the including document author's rights. Using the async macro, we can use the including document's author's view rights to access otherwise inaccessible documents. For this, none of the involved authors needs special rights, in the demo they were just used to demonstrate the privilege escalation to programming rights. This works with any macro that includes the XDOM of another document, in particular these are the include, display and uiextension macros.
The reason for this is that the footnote macro searches the whole XDOM, which includes the included documents, for footnote macro markers and executes their content in the current context. For this to work, there needs to be at least one footnote in the including document.
I haven't found any document in the standard XWiki distribution that contains footnotes so by default there are no exploitable documents but it is not hard to imagine that in a real wiki such documents could exist.
The affected version is just the version where I've reproduced the issue, this is most likely much older.