Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20276

Stored XSS via the timezone displayer in user profile

    XMLWordPrintable

Details

    • Integration
    • Unknown
    • N/A
    • N/A

    Description

      Stored XSS issue

      Steps to reproduce:

      1. Open the preferences in your user profile as a user without script or programming rights.
      2. Click on the pencil icon at the top right of the preferences to edit them.
      3. Open the JavaScript console (usually F12) and execute
        document.querySelector('[value="Africa/Abidjan"]').value = '<script>alert("XSS!")</script>';

        .

      4. Set the timezone to Africa/Abidjan.
      5. Click "Save & View"

      Expected result:

      The injected JavaScript code is not executed (i.e. there's no alert shown).

      Actual result:

      You get the ''XSS!" alert message. This means the JavaScript code is executed on behalf of the current user (that accesses the user profile) so it can steal their cookies or other information. It can also make HTTP requests on behalf of the current user to gain more rights (privilege escalation).

      Original description of the privilege escalation issue that was fixed by XWIKI-20327

      Steps to reproduce:

      1. Open the preferences in your user profile as a user without script or programming rights.
      2. Click on the pencil icon at the top right of the preferences to edit them.
      3. Open the JavaScript console (usually F12) and execute
        document.querySelector('[value="Africa/Abidjan"]').value = '{{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}';

        .

      4. Set the timezone to Africa/Abidjan.
      5. Click "Save & View"

      Expected result:

      The preferences are displayed with

      {{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}

      or an error that an invalid timezone was given.

      Actual result:

      The text

      Failed to execute the [html] macro. Cause: [When using HTML content inline, you can only use inline HTML content. Block HTML content (such as tables) cannot be displayed. Try leaving an empty line before and after the macro.]. Click on this message for details.
      Hello from groovy!

      is displayed followed by raw HTML code. This shows that the Groovy macro has been executed.

      This demonstrates a privilege escalation attack from a simple user account to programming rights due to insufficient escaping in the timezone displayer in displayer_timezone.vm.

      Attachments

        Issue Links

          Activity

            People

              mflorea Marius Dumitru Florea
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: