Details
-
Security
-
Resolution: Solved By
-
Blocker
-
14.9
-
Unknown
-
N/A
-
N/A
-
Description
SUBMISSION REFERENCES
- Submission code: XWIKI-WS464GRV
- Submission URL: https://www.intigriti.com/auth/dashboard?redirect=/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-WS464GRV
RESEARCHER INFORMATION
- Submitter: floerer
SUBMISSION INFORMATION
- Created at: Fri, 04 Nov 2022 11:02:35 GMT
- Submission status: Archived
REPORT CONTENT
- Severity: High (8.6)
- Domain: https://intigriti.xwiki.com/ (Url)
- Proof of concept: I found a way to perform a SSRF and retrieve sensitive data from the server.
As of now I did limited testing but was able to retrieve the `nginx.conf` so for sure more is possible and I will test it out.
*Steps to reproduce*
1. Login with your account on https://intigriti.xwiki.com
2. Now go to your porfile (clicking on your profile picture in the top right corner) and then on this page select `My dashboard`
3. Click on `add gadget`
4. Type `document` and select the `Office document viewer`
5. Now as reference enter: `url:file:///etc/nginx/nginx.conf`
6. Click `submit` and the contents of the file will be loaded on your dashboard as you can see.
I will test more things to show bigger impact
- Impact: Retrieve sensitive data and files from the server with a SSRF
- Personal data involved: No
- Endpoint: https://intigriti.xwiki.com/xwiki/bin/save/XWiki/<username>
- Type: Server-Side Request Forgery
- Attachments: No attachments available
Attachments
Issue Links
- is caused by
-
XWIKI-20447 Office document viewer macro allows anyone to see any file from host
-
- Closed
-