Steps to reproduce:
- As a user without script or programming rights, open your user profile (or any other document you can edit) with the object editor (requires enabling the advanced mode).
- Create a new object of kind XWiki.UIExtensionClass
- Set "Extension Point ID" to org.xwiki.platform.panels.Applications
- Set "Extension ID" to org.xwiki.platform.myuserApplication
- Set "Extension Parameters" to
- Set "Extension Scope" to "Current User"
- Click "Save & View"
- Open PanelsCode.ApplicationsPanelConfigurationSheet (i.e., <xwiki-host>/xwiki/bin/view/PanelsCode/ApplicationsPanelConfigurationSheet where <xwiki-host> is the URL of your XWiki installation).
The applications are listed, an application with label
is included in the list.
is displayed, the list of applications isn't displayed. This demonstrates that a Groovy defined by the user has been successfully executed, or, in other words, a privilege escalation attack from account to programming rights. This is because the document PanelsCode.ApplicationsPanelConfigurationSheet doesn't properly escape all displayed parameters.