Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
2.5 M1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce
- Open the invitation application (Invitation.WebHome).
- Set the subject to
{{cache}}{{groovy}}new File("/tmp/exploit.txt").withWriter { out -> out.println("Attacked from invitation!"); }{{/groovy}}{{/cache}}
- Click "Preview"
Expected result:
The entered subject is displayed as-is in the preview and no file is created.
Actual result:
A file /tmp/exploit.txt with content Attacked from invitation! is created.
This is because the content of the subject field is injected into a translation message that is displayed without any escaping in the subject field. It somehow seems that the macro result is not displayed, it is not clear to me why, but the creation of the file clearly shows that the Groovy code is executed. A similar attack is most likely possible through the plain text email template. The template can be customized by admins which could mitigate the problem depending on what the admin did, but it also means that even fixed versions could still be vulnerable. The Invitation application is - by default - viewable for all registered users.
Attachments
Issue Links
- links to