Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20293

Privilege escalation (PR) from account through IncludedPagesDocumentInformation panel

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. As a user without script or programming right open your user account (or any other document you can edit with the wiki editor.
      2. Set the content to 
        {{display reference="{{cache~}~}{{groovy~}~}println(~"Hello from Groovy~" + ~" in included document!~"){{/groovy~}~}{{/cache~}~}"/}}

        .

      3. Click "Save"
      4. Refresh the document in the browser.

      Expected result:

      The panel at the right of the editor displays 

      One included page: 
{{cache}}{{groovy}}println("Hello from Groovy" + " in included document!"){{/groovy}}{{/cache}}

      .

      Actual result:

      The panel displays the text 

      One included page:
    XWiki.Hello from Groovy in included document!

      This demonstrates a privilege escalation from simple user account to programming rights.

      Attachments

        Issue Links

          links to

          Web Link Github Security advisory

          Activity

            People

              mleduc Manuel Leduc
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: