Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20421

Privilege escalation (PR)/RCE from account through Invitation subject/message

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce

      1. Open the invitation application (Invitation.WebHome).
      2. Set the subject to
        {{cache}}{{groovy}}new File("/tmp/exploit.txt").withWriter { out -> out.println("Attacked from invitation!"); }{{/groovy}}{{/cache}}
      3. Click "Preview"

      Expected result:

      The entered subject is displayed as-is in the preview and no file is created.

      Actual result:

      A file /tmp/exploit.txt with content Attacked from invitation! is created.

      This is because the content of the subject field is injected into a translation message that is displayed without any escaping in the subject field. It somehow seems that the macro result is not displayed, it is not clear to me why, but the creation of the file clearly shows that the Groovy code is executed. A similar attack is most likely possible through the plain text email template. The template can be customized by admins which could mitigate the problem depending on what the admin did, but it also means that even fixed versions could still be vulnerable. The Invitation application is - by default - viewable for all registered users.

      Attachments

        Issue Links

          Activity

            People

              mleduc Manuel Leduc
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: