Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
2.0.1
Description
Steps to reproduce:
- As a user without script or programming rights, edit your user profile with the object editor and add a new object of type XWiki.SchedulerJobClass (search for "Scheduler").
- In "Job Script", add the following
{{/code}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}} - Click "Save & View"
- If the job information isn't already displayed (you should see "Job Name", "Job Description", etc.), append ?sheet=XWiki.SchedulerJobSheet to the URL.
Expected result:
Under "Job script" the text
{{/code}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}
is displayed.
Actual result:
Under "Job script", the text
Hello from groovy!{{/code}}
is displayed.
This shows that a user without script or programming rights has successfully executed a Groovy macro and thus gained programming rights. Therefore, this is a privilege escalation vulnerability from account to programming rights.
Attachments
Issue Links
- depends on
-
XWIKI-20462 Add support for content coming from a different source in the code macro
-
- Closed
-
- is caused by
-
-
- Closed
-