Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20312

Stored XSS via the HTML displayer in Live Data still exploitable

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      STEPS TO REPRODUCE

      1. Create an user U1 and deny the Script right for it from Administer Wiki > Users & Rights > Rights
      2. Login with the user U1 and go its user profile
      3. Click "Edit profile" button and paste the following under About section (in Source):
        {{liveData id="movies" properties="title,description"}}
        {
          "data": {
            "count": 1,
            "entries": [
              {
                "title": "Meet John Doe",
                "url": "https://www.imdb.com/title/tt0033891/",
                "description": "<img onerror='alert(1)' src='foo' />"
              }
            ]
          },
          "meta": {
            "propertyDescriptors": [
              {
                "id": "title",
                "name": "Title",
                "visible": true,
                "displayer": {"id": "link", "propertyHref": "url"}
              },
              {
                "id": "description",
                "name": "Description",
                "visible": true,
                "displayer": "html"
              }
            ]
          }
        }
        {{/liveData}}
      1. Click 'Save & View'

      EXPECTED RESULTS

      No alert is displayed.

      ACTUAL RESULTS

      An alert popup with content "1" is displayed.

      The issue reproduces also on XWiki 14.9.

       

      Note: another reproduction step is to use the same user without script right and to make it edit an AWM (e.g., http://localhost:8080/xwiki/bin/view/Help/Applications/Movies/Meet%20John%20Doe) and to edit the poster field with the same live data macro.

      Attachments

        Issue Links

          Activity

            People

              mleduc Manuel Leduc
              iandriuta Ilie Andriuta
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: