Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-16661

RCE using reset password

    XMLWordPrintable

Details

    • High
    • Unknown
    • N/A
    • N/A

    Description

      Issue

      When resetting the password, the user document XWiki.<username> is saved as superadmin.

      By creating a macro on the user document before resetting the document, it will be executed with superadmin privileges. Thus it is possible to run, for example, a groovy script as a normal user.

      Steps to reproduce

      1. Create an unprivileged user.
      2. Add a XWiki.WikiMacroClass object with a groovy script.
      3. Do a password reset request for this user.
      4. Use the macro in any document.

      Many variants can be used depending on how the user profile is configured.

      Other types of objects can also be used to hold the script.

       

      Attachments

        Issue Links

          depends on

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-11205 If view rights are not allowed for guest users then ResetPassword doesn't work

          • Major - Major loss of function.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-16610 Forgot Username and Reset Password are not available in closed wiki

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Github security advisory

          Activity

            People

              surli Simon Urli
              jonathanvk Jonathan Villemaire-Krajden
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: