Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
1.0
Description
Steps to reproduce:
Get a user with programming right to visit the URL <xwiki-host>/xwiki/bin/edit/Main/?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view, where <xwiki-host> is the URL of your XWiki installation. This can be done by embedding an image with this URL.
Expected result:
The Groovy macro isn't executed as this is a CSRF attack.
Actual result:
The text "Hello from Groovy!" is displayed in the page content, showing that the Groovy macro has been executed. Note that this demo might not be suited to demonstrate the true attack scenario, for a real attack this Groovy code would perform some modification on the server as ideally the result is not even displayed to the victim (e.g., when used as the source of an image).
This issue assumes that XWIKI-20385 has been fixed and thus the content author is set to the current user, otherwise this attack needs to be performed on a document where the previous content author already has programming rights.
The reason for this is that the edit action sets and thereby executes the page content without checking for a CSRF token.
Attachments
Issue Links
- depends on
-
XWIKI-20594 Upgrading doesn't prevent exploiting vulnerable XWiki documents
- Closed
- is related to
-
XWIKI-20331 RCE payloads stored in comments and profile are executed when admin user edits them.
- Closed
-
XWIKI-20385 Privilege escalation/RCE via the edit action
- Closed
-
XWIKI-20783 Missing CSRF token causes warning that the content will be executed in restricted mode to be displayed in some unexpected places
- Closed
- relates to
-
XWIKI-21047 Warning related to a missing CSRF token in wiki section editing
- Closed