Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20715

Arbitrary server side file writing from account through office converter

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. Activate the office server
      2. Upload an arbitrary file with the extension .doc, e.g., to your user profile (you can use a regular plain text file, only the extension seems to matter).
      3. Use the attachment move feature to rename the file to ../../../../../home/michael/Hello from XWiki.txt where the latter part is the location of a file you want to write on the server. The number of ../ depends on the directory depth, the provided example should work on Linux with the demo distribution.
      4. Click the "preview" link to trigger the office converter

      Expected result:

      A preview of the office file is displayed.

      Actual result:

      An error is displayed and but the office file is written to the specified location. This can most likely be used to override xwiki.cfg and set the superadmin password to gain superadmin access (not tried yet).

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-7506 Some code is still cleaning the attachment name

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Security Advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: