Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20447

Office document viewer macro allows anyone to see any file from host

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A

    Description

      Reproduction steps:

      • Start office server on the wiki
      • Insert a new comment with guest such as: 
        {{office reference="url:file:///etc/whois.conf"/}}

      Expected result:

      • the file should not be displayed, only PR user should be able (maybe?) to access a file from the host like this

      Obtained result:

      • the file is displayed to anyone once the comment is saved

      Attachments

        Issue Links

          causes

          Security - Security bug with confidential level XWIKI-20324 SSRF - Retrieve sensitive data from server - Add Gadget

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-20449 Server side request forgery (SSRF) with the Office Viewer

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              surli Simon Urli
              surli Simon Urli
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: