Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20610

Privilege escalation (PR) from account through NotificationRSSService

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to Reproduce:

      1. Login as a user without script or programming right.
      2. Go to the notifications preferences in your user profile.
      3. Disable the "Own Events Filter" and enable notifications in the notification menu for "Like".
      4. Set your first name to 
        {{cache id="security" timeToLive="1"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/cache}} 
      1. Click on the like button at the bottom left of the user profile.
      2. Click on the notifications bell in the top bar and then on "RSS Feed".

      Expected result:

      The full text that we set as first name is displayed in the description of the feed item that says that the profile has been liked.

      Actual result:

      The text Profile of Hello from groovy! </a> .<br/> liked by Hello from groovy! </p> is displayed, showing that the Groovy macro has been executed.

      This demonstrates a privilege escalation from a simple user account to programming rights/remote code execution.

       

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: