Uploaded image for project: 'XWiki Rendering'
  1. XWiki Rendering
  2. XRENDERING-688

Impersonation/privilege escalation via footnotes and display/include/uiextensions macros

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. As an admin, create a document "Secret.WebHome" with "Secret content" and restrict access to admins by setting a view right for the admin group.
      2. As an admin with programming rights, create a document "Including.WebHome" with content
        {{display reference="Included.WebHome"/}}
        
        {{footnote}}Some footnote{{/footnote}}
      3. As user without script or programming right, create a document "Included.WebHome" with content
        {{footnote}}{{async cache="false"}}{{include reference="Secret.WebHome"/}}{{/async}}
        
        {{groovy}}println("Hello from Groovy!"){{/groovy}}{{/footnote}}
      4. Open the document "Including.WebHome"

      Expected result:

      There are errors displayed because the user cannot view the "Secret" document and cannot execute a Groovy macro.

      Actual result:

      A footnote with content

      Secret content.
      
      Hello from Groovy!

      is displayed.

      This demonstrates both a privilege escalation to programming rights as well as a data leak as the footnote macro allows executing macros with the including document author's rights. Using the async macro, we can use the including document's author's view rights to access otherwise inaccessible documents. For this, none of the involved authors needs special rights, in the demo they were just used to demonstrate the privilege escalation to programming rights. This works with any macro that includes the XDOM of another document, in particular these are the include, display and uiextension macros.

      The reason for this is that the footnote macro searches the whole XDOM, which includes the included documents, for footnote macro markers and executes their content in the current context. For this to work, there needs to be at least one footnote in the including document.

      I haven't found any document in the standard XWiki distribution that contains footnotes so by default there are no exploitable documents but it is not hard to imagine that in a real wiki such documents could exist.

      The affected version is just the version where I've reproduced the issue, this is most likely much older.

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: