Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
2.4 M2
-
Unknown
-
N/A
-
N/A
-
Pull Request accepted
-
Description
Steps to reproduce:
Open <xwiki-host>/xwiki/bin/view/%5D%5D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=Invitation.InvitationGuestActions&xpage=view where <xwiki-host> is the URL of your XWiki installation.
Expected result:
The text "This page is used by the invitation application" is displayed.
Actual result:
The text This page is used by the invitation application Hello from groovy!.WebHome]] is displayed. This shows that the Groovy macro in the document reference has been executed and thus demonstrates a privilege escalation from view to programming rights.
Similar attacks are possible on other documents of the invitation application but with different preconditions, here the status for all documents besides Invitation.InvitationGuestActions:
- Invitation.InvitationMemberActions: only for members of XWiki.XWikiAllGroup, i.e., needs an account or interaction of a user of that group.
- Invitation.InvitationMailClass: only for admins/with the interaction of a user of that group.
- Invitiation.InvitationCommon, Invitation.InvitationMembersCommon: requires an exploit reference that has the correct name, i.e., is a terminal document which requires creating that terminal document first as it is currently not possible to be on a non-existing terminal document. This therefore currently requires edit rights on at least one space, otherwise the former would be available for guests, the latter requires an account (i.e., XWiki.XWikiAllGroup).
- Invitation.InvitationConfig: not exploitable.
Note that due to the lack of a CSRF check "interaction" means visiting an attacker-generated URL or displaying a document that contains the attack URL as image reference.
This issue exploits a translation parameter and might thus also be fixed by XWIKI-19749 depending on the chosen fix.
Attachments
Issue Links
- is caused by
-
XAINVITATION-1 Move Invitation into platform/applications from sandbox
- Closed
- links to