Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
5.1-rc-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
1. As an advanced user, use the object editor to add an object of type UIExtensionClass to your user profile. Set the value "Extension Point ID" to
{{/html}}{{async async=false cache=false}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/async}}
2. Open <xwiki-host>/xwiki/bin/edit/XWiki/<username>?sheet=Menu.UIExtensionSheet where <xwiki-host> is the URL of your XWiki installation and <username> is your user name.
Expected result:
There is no raw HTML code and in particular not the string "Hello from Groovy!" without the surrounding macro syntax.
Actual result:
Hello from Groovy!" selected="selected">
menu.uix.extensionPoint.value.{{/html}}Hello from Groovy!
</option>
</select>{{/html}}
is displayed below the first select, showing that the Groovy macro has been executed.
This demonstrates a privilege escalation attack to programming right from a simple user account without script, programming or edit right outside the profile. The attack of course also works on every other document that is editable by the user. The affects version is most likely much older than indicated.
Attachments
Issue Links
- is caused by
-
XWIKI-9148 Implement an extensible and reusable horizontal menu
-
- Closed
-
- links to