Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
10.9
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
Add
{{activity wikis="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}println(~"Hello from Groovy!~"){{/groovy~}~}"/}}
to any place where you can use wiki syntax like the "about" section in your user profile as a user without programming or script rights.
Expected result:
The notifications macro is displayed for some strange wiki name.
Actual result:
The [notifications] macro is a standalone macro and it cannot be used inline. Click on this message for details. Hello from Groovy!" displayMinorEvents="false" displayRSSLink="false" /}}
is displayed. This shows that the Groovy macro has been executed and the attacker has gained programming rights, allowing read and write access to the whole wiki and host system.
The attack can be executed with just an account that permits write access to the user profile or also with just view rights via CKEditor's HTML converter.
Attachments
Issue Links
- is caused by
-
XWIKI-15660 Create an "activity" macro to replace Activity Stream with notifications
- Closed
- links to