Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20818

Cookies are sent to external images in rendered diff (and server side request forgery)



    • Unit, Integration
    • Unknown


      Steps to reproduce:

      1. Edit a document to add 101 different images with references to the attacker's server (could be the user profile).
      2. In any place add an image with a reference to /xwiki/bin/view/Image%20Cookie%20Test/?xpage=changes&rev1=1.1&rev2=2.1&include=renderedChanges where Image%20Cookie%20Test needs to be replaced by the path to the document with the images and the two revisions should match the revision before/after adding the images.

      Expected result:

      Regardless who visits the document with the image with the revision URL, no cookies (and in fact no requests at all) are sent to the attackers server.

      Actual result:

      Requests with cookies of any user who views the image with the revision URL are sent to the attackers server. This allows stealing the cookies of any user. Due to XWIKI-5406 this potentially allows recovering the username and password of any user (including admin users). Further, with the session id cookie alone, the user can be impersonated for a limited period of time.

      While stealing cookies is the more severe attack, this also allows server-side request forgery.

      The vulnerable code is here: https://github.com/xwiki/xwiki-platform/blob/dd9f58e04afe45d8a8b96af9e98b824b9f5070f5/xwiki-platform-core/xwiki-platform-diff/xwiki-platform-diff-xml/src/main/java/org/xwiki/diff/xml/internal/DefaultDataURIConverter.java#L139

      The 101 images are used because the requested images are cached in a cache with a maximum size of 100 items.

      I think the code should be changed to not create data URIs for external images.


        Issue Links



              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              0 Vote for this issue
              1 Start watching this issue