Summary

A user without program permission but with script permission and permission to edit wiki content can read the content on the xwiki server, such as the xwiki.cfg file with the superadmin password.

Tested Version

xwiki 13.5 standalone.

Details

After the vulnerability of https://jira.xwiki.org/browse/XWIKI-17141, xwiki upgraded its velocity core and restricted the execution of java code through program permissions.

But xwiki also exposes many other variables, such as:
$parent
$copyright
$isGuest
$isSuperAdmin
$sessionAttributeName
$context
$spaceHome
$displayDocExtra
$defaultDocumentEditor
$globalprefs
$util
$hasedit...

We found that an attacker can read sensitive files on the server and echo them to the server by calling $xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg").

Impact

This issue may lead to a local file read.

Repair

The parameter passed to servletRequest.getRequestDispatcher before executing should be restricted or add program permission for this function.

Reporter

nancheal@qingteng-73lab