The context macro in combination with the async macro allows executing macros as any user without programming rights who authored at least one document the current user can access. The current user might be a guest user. This allows different kinds of attacks:
Escalation to script rights - steps to reproduce:
- Create a document (can also be your user profile) with content
Replace xwiki:XWiki.username by the document reference of the document that has script rights.
Alternative with anonymous view rights: Open
where <Server> is the URL of your XWiki installation. You might need to replace %7B%7Bcontext%20document%3D%22xwiki%3AXWiki.username%22%20transformationContext%3D%22document%22%7D%7D%7B%7Bvelocity%7D%7DHello%20from%20Velocity!%7B%7B%2Fvelocity%7D%7D%7B%7B%2Fcontext%7D%7D by the result of applying encodeURIComponent to the page content you want to use (replacing in particular the document reference by the one of the document with script but not programming rights).
An error is displayed that the user doesn't have script rights.
The message "Hello from Velocity!" without any surrounding text, showing that the Velocity macro has been executed. This is because the context macro only checks if the user gained programming rights, but not if the user gained script rights.
Impersonation (with script rights) - steps to reproduce:
Save a document with the following content (or execute it using the HTMLConverter as explained before):
The document xwiki:XWiki.username is unchanged.
The content of xwiki:XWiki.username has been replaced by "Hello from attacker!" with content author XWiki.username even though this is executed by an anonymous attacker. I expect that this would also allow using the full admin privileges of the impersonated user.
Information disclosure - steps to reproduce:
- Create a document "Hello" that is accessible by the impersonated user but not the current user.
- Execute the following content (in the user profile or via the HTMLConverter):
The document "Hello" isn't displayed.
The document "Hello" is displayed.
Note that this doesn't even require that the impersonated user has script rights.