Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18776

Stored Cross Site Scripting

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Critical
    • None
    • 12.10.8
    • None
    • Created with latest Docker:MySQL combination as per Github steps
      https://github.com/xwiki/xwiki-docker
    • Easy
    • N/A
    • N/A

    Description

      The application allows standard users to insert malicious Javascript into their profile via the 'My Dashboard' feature and the HTML macro.

      User is freshly created and only a member of XWikiAllGroup and all changes are made in the context of this user.

      The HTML macro is not restricted by the 'ProgrammingRights' permission as is the Groovy or Python script macro. See below.

      import os
      print(os.popen("id").read())
      print(os.popen("hostname").read())
      print(os.popen("ifconfig").read())
      

       

      The above code inserted into a Python Macro produces the below exception and UI error message when saved/executed.

      org.xwiki.rendering.macro.MacroExecutionException: You need Programming Rights to execute the script macro [python]
       at org.xwiki.rendering.macro.script.AbstractScriptMacro.execute(AbstractScriptMacro.java:178)
      ...
      ...

       

       

      Creating an HTML macro with the below content results in code being executed as part of the HTML. This is executed by any user visiting the malicious users dashboard.

       

      <script>alert(document.location)</script>
      

       

       

      Recommendations

      Limit access to HTML macro to authorised users via 'ProgrammingRights' or implement an allow-list of safe HTML. The former is likely the easier and safest option in light of the fact that the application allows code to be executed by administrative users anyway, this would appear to fit with the existing design pattern.

       

      Attachments

        Issue Links

          Activity

            People

              surli Simon Urli
              3therk1ll Richard Curteis
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: