Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20285

Privilege escalation (PR) from view right via Invitation application



    • Unknown
    • N/A
    • N/A
    • Pull Request accepted


      Steps to reproduce:

      Open <xwiki-host>/xwiki/bin/view/%5D%5D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=Invitation.InvitationGuestActions&xpage=view where <xwiki-host> is the URL of your XWiki installation.

      Expected result:

      The text "This page is used by the invitation application" is displayed.

      Actual result:

      The text This page is used by the invitation application Hello from groovy!.WebHome]] is displayed. This shows that the Groovy macro in the document reference has been executed and thus demonstrates a privilege escalation from view to programming rights.

      Similar attacks are possible on other documents of the invitation application but with different preconditions, here the status for all documents besides Invitation.InvitationGuestActions:

      • Invitation.InvitationMemberActions: only for members of XWiki.XWikiAllGroup, i.e., needs an account or interaction of a user of that group.
      • Invitation.InvitationMailClass: only for admins/with the interaction of a user of that group.
      • Invitiation.InvitationCommon, Invitation.InvitationMembersCommon: requires an exploit reference that has the correct name, i.e., is a terminal document which requires creating that terminal document first as it is currently not possible to be on a non-existing terminal document. This therefore currently requires edit rights on at least one space, otherwise the former would be available for guests, the latter requires an account (i.e., XWiki.XWikiAllGroup).
      • Invitation.InvitationConfig: not exploitable.

      Note that due to the lack of a CSRF check "interaction" means visiting an attacker-generated URL or displaying a document that contains the attack URL as image reference.

      This issue exploits a translation parameter and might thus also be fixed by XWIKI-19749 depending on the chosen fix.


        Issue Links



              mleduc Manuel Leduc
              MichaelHamann Michael Hamann
              0 Vote for this issue
              2 Start watching this issue