Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19906

Privilege escalation (PR) from account through AWM content fields



    • Integration
    • High
    • Unknown
    • N/A
    • N/A


      Steps to reproduce:

      1. Login as an unprivileged user (no edit rights beyond user profile)
      2. Enable advanced mode if disabled (press x+x+x+a).
      3. Edit the user profile with the wiki editor
      4. Change the content to
          println("Hello from Groovy!")
      5. Click "Save & View"
      6. Open the object editor
      7. Add an object of type "MenuClass"
      8. Click "Save & View"

      Expected result:

      An error is displayed that the groovy script macro is not allowed.

      Actual result:

      The text "Hello from Groovy!" is displayed below "Menu structure", showing that the groovy code has been executed.

      This demonstrates a privilege escalation from account to programming rights. This is very likely related to XWIKI-5027 but it is not clear to me if it is the only cause or if there are further problems. This concerns all AWM applications that display the content field, the reproduction steps also work by using Help.Applications.Movies.Code.MoviesClass instead of Menu.MenuClass.

      The affects version is currently the first version where the MenuClass was introduced, I've reproduced the issue on 5.1 after installing the menu application (bundled since 9.4). As the issue affects all AWM applications, this issue is potentially reproducible on older versions if an AWM application that has programming rights exists.


        Issue Links



              mflorea Marius Dumitru Florea
              MichaelHamann Michael Hamann
              0 Vote for this issue
              2 Start watching this issue