Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18870

LFI on XWIKI through $xwiki.invokeServletAndReturnAsString

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Summary

      A user without program permission but with script permission and permission to edit wiki content can read the content on the xwiki server, such as the xwiki.cfg file with the superadmin password.

      Tested Version

      xwiki 13.5 standalone.

      Details

      After the vulnerability of https://jira.xwiki.org/browse/XWIKI-17141, xwiki upgraded its velocity core and restricted the execution of java code through program permissions.

      But xwiki also exposes many other variables, such as:
      $parent
      $copyright
      $isGuest
      $isSuperAdmin
      $sessionAttributeName
      $context
      $spaceHome
      $displayDocExtra
      $defaultDocumentEditor
      $globalprefs
      $util
      $hasedit...

      We found that an attacker can read sensitive files on the server and echo them to the server by calling $xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg").

      Impact

      This issue may lead to a local file read.

      Repair

      The parameter passed to servletRequest.getRequestDispatcher before executing should be restricted or add program permission for this function.

      Reporter

      nancheal@qingteng-73lab

      Attachments

        Issue Links

          Activity

            People

              tmortagne Thomas Mortagne
              nancheal nancheal
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: