Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
7.4-milestone-2
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
Add
{{vfsTree root="~" /~}~} {{cache id=~"vfs-macro-content~"~}~}{{groovy~}~}println(~"Hello from Groovy!~"){{/groovy~}~}{{/cache~}~}"/}}
to any place where you can use wiki syntax like the "about" section in your user profile as a user without programming or script rights.
Expected result:
An empty VFS Tree or some error is displayed.
Actual result:
The output
The [tree] macro is a standalone macro and it cannot be used inline. Click on this message for details. Hello from Groovy!" reference="path:/xwiki/bin/get/XWiki/username?sheet=Macros.VFSTreeJSON&outputSyntax=plain" links="true"/}}
is displayed. This shows that the Groovy macro has been executed and thus programming rights have been gained. This is because the VFS Tree macro allows XWiki syntax injection through the root parameter.
Note that the VFS Tree macro, while being part of xwiki-platform, is not bundled with XWiki and thus this issue cannot be exploited on a default installation of XWiki.
Attachments
Issue Links
- is caused by
-
XWIKI-12815 Rewrite Zip Explorer feature as Components + make it more generic
-
- Closed
-
- links to