Details
-
Bug
-
Resolution: Fixed
-
Critical
-
1.3 RC1
Description
Steps to reproduce:
- In admin, rights, remove scripting rights for XWikiAllGroup.
- Create a new user without any special privileges.
- Create a page "Private.WebHome" with TOKEN_42 as content. Go to "page administration" and explicitly set all rights for "Admin" to remove them for all other users.
- Logout and login as the unprivileged user. Ensure that the previously created page cannot be viewed.
- Create a new page "ExploitClass.WebHome" and then open it in the class editor (first, make the user an advanced user).
- Add a field named ContentList of type Database List
- Enter in field "Hibernate Query" the following content:
select doc.content, doc.fullName from XWikiDocument as doc where doc.fullName = 'Private.WebHome'
- Save the class.
- Open http://localhost:8080/xwiki/bin/view/ExploitClass/?xpage=suggest&classname=ExploitClass.WebHome&fieldname=ContentList&firCol=doc.fullName&secCol=-
Expected Result:
The results are empty or an error is displayed.
Actual Result:
The query is executed and the results are displayed without any filtering as shown in this example:
<results type="2"> <rs id="" info="Secret content with TOKEN_42">Private page.WebHome</rs> </results>
Note that for the equivalent REST endpoint, http://localhost:8080/xwiki/rest/wikis/xwiki/classes/ExploitClass.WebHome/properties/ContentList/values?limit=1000, the following error is displayed as expected:
org.xwiki.query.QueryException: The query requires programming right. Query statement = [select doc.content, doc.fullName from XWikiDocument as doc where doc.fullName = 'Private page.WebHome']
This issue is related to XWIKI-14700, disclosed in the release notes of XWiki 9.8RC1. Independently of this, the issue existed and should be exploitable since 1.3RC1 when suggest.vm has been introduced as part of XWIKI-1604. In early versions of XWiki, the query needs to be executed in the view action of a document that has been saved by an user with programming rights, but this is no mitigation as for example the user profile of the admin should always have programming rights.
Note that if the database list property has been saved by a user with programming rights, this is exploitable with just view rights on the class definition. However, I'm assuming here that no such database list property exists (from a search, there seems to be no exploitable one in XWiki Standard) and thus that the attacker requires edit rights to create the query.