Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20524

Privilege escalation (PR) from edit right to programming right through icon themes

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      • Log in as a user without script right.
      • Copy the document IconThemes.Silk to some space where you have edit rights.
      • Use the object editor to change the icon theme name to "MyTheme".
      • Edit the document using the wiki editor and change the property "xwiki.iconset.render.html" to 
        xwiki.iconset.render.html = #set($mydoc = $doc.getDocument()) $mydoc.setContentAuthorReference("xwiki:XWiki.Admin") $mydoc.setTitle($icon) $mydoc.getTitle()
      • Open <xwiki-host>/xwiki/bin/view/IconThemesCode/IconPicker?action=data_icons&iconTheme=MyTheme, where <xwiki-host> is the URL of your XWiki installation.

      Expected result:

      The title "Icon Picker" is displayed and the document doesn't start with 

      [{"name":"home","render":"   house"}

      .

      Actual result:

      The title "wrench" is displayed and the document starts with 

      [{"name":"home","render":"   house"}

      . This demonstrates that a user without script right was able to execute Velocity code with programming rights.

      It is not clear to me if a user without admin right should be able to create icon themes at all. Further, users without script right definitely shouldn't be able to execute Velocity and also definitely not with programming rights. The xwiki.iconset.render.wiki property can also be abused to insert macros into documents like the default Main document.

      Steps to reproduce:

      • As user with global edit right (i.e., all users by default) and no script right, edit IconThemes.FontAwesome and set the property 
        xwiki.iconset.render.wiki = {{cache}}{{groovy}}println("Hello from Font Awesome ${icon}!"){{/groovy}}{{/cache}}

        .

      • Open the the Main document ("Home") (assuming it is unchanged from the standard distribution).
      • Expected result:*

      An error is displayed as the user doesn't have script or programming right.

      Actual result:

      Hello from Font Awesome pencil! and similar texts are displayed instead of the icons.

      This is possible because edit rights are not protected on the IconThemes space.

      Attachments

        Issue Links

          depends on

          New Feature - A new feature of the product, which has yet to be developed. XWIKI-20682 Introduce an icon macro

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Forum discussion

          Web Link GitHub Security advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: