Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
5.0-milestone-1
-
Unit
-
High
-
Unknown
-
N/A
-
N/A
-
Pull Request accepted
-
Description
Steps to reproduce:
- Log in as a simple user with just edit rights on the user profile
- Go to the user's profile
- Upload an attachment in the attachment tab at the bottom of the page (any image is fine).
- Click on "rename" in the attachment list and enter
{{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}.png
as new attachment name and submit the rename.
- Go back to the user profile.
- Click on the edit icon on the user avatar
Expected result:
The attachment with name
{{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}.png
is displayed and can be selected as user profile.
Actual result:
The attachment name is displayed as Hello from groovy!.png. The attachment also cannot be selected, selecting it gives a server error.
This demonstrates a privilege escalation to programming rights from simple user rights. The actual issue is in the attachment selector macro. The macro is also vulnerable to attacks via macro parameters which probably also allow injection of code that is executed with programming rights with just view rights similar to the attack shown in XWIKI-19752. The affects version is the version I've used to reproduce the issue but earlier versions might vulnerable, too. It may be difficult to generate a file with a vulnerable name, though, as it is not a valid filename.
Attachments
Issue Links
- links to