Details
-
Bug
-
Resolution: Fixed
-
Critical
-
1.0
-
Unknown
-
N/A
-
N/A
-
Description
Summary
A user without program permission but with script permission and permission to edit wiki content can read the content on the xwiki server, such as the xwiki.cfg file with the superadmin password.
Tested Version
xwiki 13.5 standalone.
Details
After the vulnerability of https://jira.xwiki.org/browse/XWIKI-17141, xwiki upgraded its velocity core and restricted the execution of java code through program permissions.
But xwiki also exposes many other variables, such as:
$parent
$copyright
$isGuest
$isSuperAdmin
$sessionAttributeName
$context
$spaceHome
$displayDocExtra
$defaultDocumentEditor
$globalprefs
$util
$hasedit...
We found that an attacker can read sensitive files on the server and echo them to the server by calling $xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg").
Impact
This issue may lead to a local file read.
Repair
The parameter passed to servletRequest.getRequestDispatcher before executing should be restricted or add program permission for this function.
Reporter
nancheal@qingteng-73lab
Attachments
Issue Links
- links to