Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20624

Privilege escalation from script right to programming right through title displayer

    XMLWordPrintable

Details

    • Integration
    • Unknown
    • N/A

    Description

      Steps to reproduce:

      As a user with script but not programming right, create a document with the following content:

      {{velocity}}
#set($main = $xwiki.getDocument('AppWithinMinutes.DynamicMessageTool'))
$main.setTitle('$doc.getDocument().getContentAuthor()')
$main.getPlainTitle()
{{/velocity}}

      Expected result:

      The string $doc.getDocument().getContentAuthor() is displayed as this call requires programming rights.

      Actual result:

      XWiki.superadmin or another author with programming rights is displayed.

      This shows that a user with script right was able to access an API that requires programming rights because the context document's author is unchanged even though setTitle() has been called. This is because the title displayer sets the original document as context document when executing the modified title.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-20625 Velocity execution without script right through tree macro

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: