Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20268

Privilege escalation (PR) from account through AdminTemplatesSheet

    XMLWordPrintable

Details

    • Integration
    • Unknown
    • N/A
    • N/A

    Description

      Steps to Reproduce:

      1. Set the title of any document you can edit (can be the user profile) to 
        {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}
      2. Use the object editor to add an object of type XWiki.TemplateProviderClass (named "Template Provider Class") to that document.
      3. Go to another document you can view (can be the home page) and append ?sheet=XWiki.AdminTemplatesSheet to the URL.

      Expected result:

      A template 

      {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}

      is displayed in the list of templates.

      Actual result:

      A template Hello from groovy! is displayed, showing that the Groovy code has been executed. This demonstrates a privilege escalation from account to programming rights.

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. XAADMINISTRATION-143 Allow to administer document templates in the wiki administration

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Security advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: