Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Duplicate
Priority: Major
Fix Version/s: None
Affects Version/s: 12.10.8, 13.9
Component/s: Web - Templates & Resources
Labels:
- bugfixingday
- security

Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

Execute a request such as

 http://localhost:8080/xwiki/bin/get/Sandbox/WebHome?xpage=getdocuments&childrenOf=Sandbox&exclude=Sandbox.WebHome&queryFilters=unique,hidden&offset=1&limit=15&reqNo=1&sort=%00%3Cscript%3E_q%3Drandom(X2975474880Y7_1Z)%3C%2Fscript%3E&dir=asc

Results:

the query includes the parameters from the URL

huge error on the server console

2021-11-22 17:00:12,874 [qtp1307904972-23 - http://localhost:8080/xwiki/bin/get/Sandbox/WebHome?xpage=getdocuments&childrenOf=Sandbox&exclude=Sandbox.WebHome&queryFilters=unique,hidden&offset=1&limit=15&reqNo=1&sort=%00%3Cscript%3E_q%3Drandom(X2975474880Y7_1Z)%3C%2Fscript%3E&dir=asc] ERROR c.x.x.XWiki                    - Error while evaluating velocity template [getdocuments.vm]

org.xwiki.rendering.RenderingException: Failed to execute renderer

at org.xwiki.rendering.async.internal.DefaultAsyncRendererExecutor.syncRender(DefaultAsyncRendererExecutor.java:270)

...

Caused by: org.apache.velocity.exception.MethodInvocationException: Invocation of method 'execute' in  class org.xwiki.query.internal.ScriptQuery threw exception org.xwiki.query.QueryException: Exception while executing query. Query statement = [WHERE 1=1 AND doc.fullName LIKE ?1 AND doc.fullName <> ?2 AND doc.fullName <> ?3 order by <script>_q=random(X2975474880Y7_1Z)</script> asc] at /templates/getdocuments.vm[line 119, column 23]

at org.apache.velocity.runtime.parser.node.ASTMethod.handleInvocationException(ASTMethod.java:308)

at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:235)

at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368)

at org.apache.velocity.runtime.parser.node.ASTReference.value(ASTReference.java:704)

at org.apache.velocity.runtime.parser.node.ASTExpression.value(ASTExpression.java:75)

at org.apache.velocity.runtime.parser.node.ASTSetDirective.render(ASTSetDirective.java:242)

at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)

at org.apache.velocity.Template.merge(Template.java:358)

at org.apache.velocity.Template.merge(Template.java:262)

at org.xwiki.velocity.internal.DefaultVelocityEngine.evaluate(DefaultVelocityEngine.java:280)

... 67 common frames omitted

Caused by: org.xwiki.query.QueryException: Exception while executing query. Query statement = [WHERE 1=1 AND doc.fullName LIKE ?1 AND doc.fullName <> ?2 AND doc.fullName <> ?3 order by <script>_q=random(X2975474880Y7_1Z)</script> asc]

at com.xpn.xwiki.store.hibernate.query.HqlQueryExecutor.execute(HqlQueryExecutor.java:176)

at org.xwiki.query.internal.DefaultQueryExecutorManager.execute(DefaultQueryExecutorManager.java:72)

at org.xwiki.query.internal.SecureQueryExecutorManager.execute(SecureQueryExecutorManager.java:67)

at org.xwiki.query.internal.DefaultQuery.execute(DefaultQuery.java:306)

at org.xwiki.query.internal.ScriptQuery.execute(ScriptQuery.java:254)

at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.base/java.lang.reflect.Method.invoke(Method.java:566)

at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.doInvoke(UberspectImpl.java:571)

at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:554)

at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:221)

... 75 common frames omitted

Caused by: com.xpn.xwiki.XWikiException: Error number 0 in 3: Exception while hibernate execute

at com.xpn.xwiki.store.XWikiHibernateBaseStore.execute(XWikiHibernateBaseStore.java:826)

at com.xpn.xwiki.store.XWikiHibernateBaseStore.executeRead(XWikiHibernateBaseStore.java:889)

at com.xpn.xwiki.store.hibernate.query.HqlQueryExecutor.execute(HqlQueryExecutor.java:164)

... 86 common frames omitted

Caused by: java.lang.RuntimeException: Invalid HQL query [select distinct doc.fullName, <script>_q=random(X2975474880Y7_1Z)</script> from XWikiDocument doc WHERE (doc.hidden <> true or doc.hidden is null) and (1=1 AND doc.fullName LIKE ?1 AND doc.fullName <> ?2 AND doc.fullName <> ?3) order by <script>_q=random(X2975474880Y7_1Z)</script> asc]

at org.xwiki.query.internal.EscapeLikeParametersQuery.getStatement(EscapeLikeParametersQuery.java:126)

at com.xpn.xwiki.store.hibernate.query.HqlQueryExecutor.createHibernateQuery(HqlQueryExecutor.java:199)

at com.xpn.xwiki.store.hibernate.query.HqlQueryExecutor.lambda$execute$0(HqlQueryExecutor.java:165)

at com.xpn.xwiki.store.XWikiHibernateBaseStore.execute(XWikiHibernateBaseStore.java:820)

... 88 common frames omitted

Caused by: net.sf.jsqlparser.JSQLParserException: Encountered unexpected token: "," ","

    at line 1, column 29.

Expected results: the query is filtered before being executed, and the sort parameter value is not injected "as it"

Attachments

Issue Links

duplicates

XWIKI-17568 HQL injection in getdocuments.vm with sort parameter

Closed

Activity

People

Assignee:: Simon Urli

Reporter:: Elena-Oana Florea

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 22/Nov/21 16:06

Updated:: 2 days ago 18:17

Resolved:: 10/Mar/22 17:43

Date of First Response:: 25/Nov/21 9:36 AM