Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19800

Privilege escalation (PR) from user profile through the attachment selector



    • Unit
    • High
    • Unknown
    • N/A
    • N/A
    • Pull Request accepted


      Steps to reproduce:

      1. Log in as a simple user with just edit rights on the user profile
      2. Go to the user's profile
      3. Upload an attachment in the attachment tab at the bottom of the page (any image is fine).
      4. Click on "rename" in the attachment list and enter
        {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}.png

        as new attachment name and submit the rename.

      5. Go back to the user profile.
      6. Click on the edit icon on the user avatar

      Expected result:

      The attachment with name

      {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}.png

      is displayed and can be selected as user profile.

      Actual result:

      The attachment name is displayed as Hello from groovy!.png. The attachment also cannot be selected, selecting it gives a server error.

      This demonstrates a privilege escalation to programming rights from simple user rights. The actual issue is in the attachment selector macro. The macro is also vulnerable to attacks via macro parameters which probably also allow injection of code that is executed with programming rights with just view rights similar to the attack shown in XWIKI-19752. The affects version is the version I've used to reproduce the issue but earlier versions might vulnerable, too. It may be difficult to generate a file with a vulnerable name, though, as it is not a valid filename.


        Issue Links



              mleduc Manuel Leduc
              MichaelHamann Michael Hamann
              0 Vote for this issue
              2 Start watching this issue