Details
-
Bug
-
Resolution: Solved By
-
Blocker
-
3.3
-
High
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce
- As a user with programming rights, create a new AWM application with a field of type short text.
- As a user with just edit rights, create a new entry in the AWM application with content
{{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}in the short text field
Expected result
The value
{{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}
is displayed in the text field.
Actual result
The value Hello from groovy! is displayed.
This demonstrates a privilege escalation attack from edit to programming rights. This can be exploited on any AWM application that has been created by a user with programming rights and contains a text field that is not the title. I haven't checked if other fields are exploitable, too. From what I've seen, the demo applications don't contain such a field. As this should be a common situation, I don't see that this limits the applicability of the attack.
The affects version is only the version I reproduced this on, this should also affect much older versions of XWiki.
Attachments
Issue Links
- duplicates
-
XCOMMONS-2498 XWikiUtils#escapeElementText should also escape {
-
- Closed
-
- links to