Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
4.1-milestone-2
-
Integration
-
Unknown
-
N/A
-
N/A
-
Description
Stored XSS issue
Steps to reproduce:
- Open the preferences in your user profile as a user without script or programming rights.
- Click on the pencil icon at the top right of the preferences to edit them.
- Open the JavaScript console (usually F12) and execute
document.querySelector('[value="Africa/Abidjan"]').value = '<script>alert("XSS!")</script>';
.
- Set the timezone to Africa/Abidjan.
- Click "Save & View"
Expected result:
The injected JavaScript code is not executed (i.e. there's no alert shown).
Actual result:
You get the ''XSS!" alert message. This means the JavaScript code is executed on behalf of the current user (that accesses the user profile) so it can steal their cookies or other information. It can also make HTTP requests on behalf of the current user to gain more rights (privilege escalation).
Original description of the privilege escalation issue that was fixed by XWIKI-20327
Steps to reproduce:
- Open the preferences in your user profile as a user without script or programming rights.
- Click on the pencil icon at the top right of the preferences to edit them.
- Open the JavaScript console (usually F12) and execute
document.querySelector('[value="Africa/Abidjan"]').value = '{{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}';
.
- Set the timezone to Africa/Abidjan.
- Click "Save & View"
Expected result:
The preferences are displayed with
{{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}
or an error that an invalid timezone was given.
Actual result:
The text
Failed to execute the [html] macro. Cause: [When using HTML content inline, you can only use inline HTML content. Block HTML content (such as tables) cannot be displayed. Try leaving an empty line before and after the macro.]. Click on this message for details. Hello from groovy!
is displayed followed by raw HTML code. This shows that the Groovy macro has been executed.
This demonstrates a privilege escalation attack from a simple user account to programming rights due to insufficient escaping in the timezone displayer in displayer_timezone.vm.
Attachments
Issue Links
- is caused by
-
XWIKI-7847 Allow to set the timezone in the wiki preferences and the user profile
- Closed