Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20290

Stored XSS via the user account and displaycontent/rendercontent template

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. Open your user profile (without script or programming rights) with the wiki editor (needs advanced mode).
      2. Set the content to <script>alert(1)</script>.
      3. Open <xwiki-host>/xwiki/bin/view/XWiki/<username>?viewer=displaycontent&sheet=&outputSyntax=plain and <xwiki-host>/xwiki/bin/view/XWiki/<username>?viewer=rendercontent&sheet=&outputSyntax=plain where <xwiki-host> is the URL of your XWiki installation and <username> is the name of the user.

      Expected result:

      The text <script>alert(1)</script> is displayed.

      Actual result:

      An alert with content "1" is displayed in both cases.

      This demonstrates stored XSS via the user profile. The syntax of the user profile can also be set to plain/1.0 to avoid that the entered HTML is interpreted as XWiki syntax. A similar vulnerability can also be triggered with xpage=displaycontent or xpage=rendercontent but the "advantage" of the viewer parameter is that the main HTML document contains the CSRF token and thus allows much more powerful attacks. The victim could be tricked to visit such a document via a crafted internal link or by sending the victim the link via another communication channel.

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: