Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
6.3-milestone-2
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
- As a user without script or programming rights, open your user profile (or any other document you can edit) with the object editor (requires enabling the advanced mode).
- Create a new object of kind XWiki.UIExtensionClass
- Set "Extension Point ID" to org.xwiki.platform.panels.Applications
- Set "Extension ID" to org.xwiki.platform.myuserApplication
- Set "Extension Parameters" to
order=100 label={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}} icon=pencil target=XWiki.username - Set "Extension Scope" to "Current User"
- Click "Save & View"
- Open PanelsCode.ApplicationsPanelConfigurationSheet (i.e., <xwiki-host>/xwiki/bin/view/PanelsCode/ApplicationsPanelConfigurationSheet where <xwiki-host> is the URL of your XWiki installation).
Expected result:
The applications are listed, an application with label
{{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}
is included in the list.
Actual result:
The message
Failed to execute the [html] macro. Cause: [When using HTML content inline, you can only use inline HTML content. Block HTML content (such as tables) cannot be displayed. Try leaving an empty line before and after the macro.]. Click on this message for details.
Hello from groovy!</a>
</li>
</ul>
</div>
</div>
</div>
{{/html}}
is displayed, the list of applications isn't displayed. This demonstrates that a Groovy defined by the user has been successfully executed, or, in other words, a privilege escalation attack from account to programming rights. This is because the document PanelsCode.ApplicationsPanelConfigurationSheet doesn't properly escape all displayed parameters.
Attachments
Issue Links
- links to