Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20258

Privilege escalation (PR) from account/view through the Legacy ActivityMacro

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      Add

      {{activity wikis="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}println(~"Hello from Groovy!~"){{/groovy~}~}"/}}

      to any place where you can use wiki syntax like the "about" section in your user profile as a user without programming or script rights.

      Expected result:

      The notifications macro is displayed for some strange wiki name.

      Actual result:

      The [notifications] macro is a standalone macro and it cannot be used inline. Click on this message for details.
      Hello from Groovy!"    displayMinorEvents="false" displayRSSLink="false" /}}
      

      is displayed. This shows that the Groovy macro has been executed and the attacker has gained programming rights, allowing read and write access to the whole wiki and host system.

      The attack can be executed with just an account that permits write access to the user profile or also with just view rights via CKEditor's HTML converter.

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: