Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18870

LFI on XWIKI through $xwiki.invokeServletAndReturnAsString

    XMLWordPrintable

    Details

    • Difficulty:
      Unknown
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Similar issues:

      Description

      Summary

      A user without program permission but with script permission and permission to edit wiki content can read the content on the xwiki server, such as the xwiki.cfg file with the superadmin password.

      Tested Version

      xwiki 13.5 standalone.

      Details

      After the vulnerability of https://jira.xwiki.org/browse/XWIKI-17141, xwiki upgraded its velocity core and restricted the execution of java code through program permissions.

      But xwiki also exposes many other variables, such as:
      $parent
      $copyright
      $isGuest
      $isSuperAdmin
      $sessionAttributeName
      $context
      $spaceHome
      $displayDocExtra
      $defaultDocumentEditor
      $globalprefs
      $util
      $hasedit...

      We found that an attacker can read sensitive files on the server and echo them to the server by calling $xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg").

      Impact

      This issue may lead to a local file read.

      Repair

      The parameter passed to servletRequest.getRequestDispatcher before executing should be restricted or add program permission for this function.

      Reporter

      nancheal@qingteng-73lab

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tmortagne Thomas Mortagne
              Reporter:
              nancheal nancheal
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response: