Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
4.3-milestone-2
-
Integration
-
High
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
- Login as an unprivileged user (no edit rights beyond user profile)
- Enable advanced mode if disabled (press x+x+x+a).
- Edit the user profile with the wiki editor
- Change the content to
{{groovy}} println("Hello from Groovy!") {{/groovy}} - Click "Save & View"
- Open the object editor
- Add an object of type "MenuClass"
- Click "Save & View"
Expected result:
An error is displayed that the groovy script macro is not allowed.
Actual result:
The text "Hello from Groovy!" is displayed below "Menu structure", showing that the groovy code has been executed.
This demonstrates a privilege escalation from account to programming rights. This is very likely related to XWIKI-5027 but it is not clear to me if it is the only cause or if there are further problems. This concerns all AWM applications that display the content field, the reproduction steps also work by using Help.Applications.Movies.Code.MoviesClass instead of Menu.MenuClass.
The affects version is currently the first version where the MenuClass was introduced, I've reproduced the issue on 5.1 after installing the menu application (bundled since 9.4). As the issue affects all AWM applications, this issue is potentially reproducible on older versions if an AWM application that has programming rights exists.
Attachments
Issue Links
- is related to
-
-
- Closed
-
-
XWIKI-7369 Add document title and document content to the field palette (class editor)
-
- Closed
-