Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
14.6-rc-1
Description
Steps to reproduce:
Open <xwiki-host>/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration?since=%7B%7B%2Fhtml%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+%22+%2B+%22from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D, where <xwiki-host> is the URL of your XWiki installation.
Expected result:
The document displays as if if was opened without a parameter as the passed value isn't a valid date.
Actual result:
Failed to execute the [html] macro. Cause: [When using HTML content inline, you can only use inline HTML content. Block HTML content (such as tables) cannot be displayed. Try leaving an empty line before and after the macro.]. Click on this message for details. Hello from groovy!"
is displayed, followed by raw HTML code. This demonstrates an XWiki syntax injection attack via the since-parameter, allowing privilege escalation from view to programming rights.
This document has been freshly introduced in XWiki 14.6 as part of XWIKI-19826 but the same code previously existed in a template of the distribution wizard. This can be exploited similar to the steps detailed in XWIKI-19852 via the template macro either via the user account or via CKEditor's HTMLConverter or directly via xpart.vm as shown in XWIKI-19558 before this issue had been fixed (XWiki versions before 13.10.5 and 14.3-rc-1).