Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
3.2 M3
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
- As a user without script right, add the syntax
[[image:path:/xwiki/bin/create/Foo/WebHome?template=&parent=Main.WebHome&title=$services.logging.getLogger(%22foo%22).error(%22Script%20executed!%22)]]
to any place an admin might visit (e.g., a comment on the main document). Optionally, hide the image from view by positioning it outside the view using, e.g., a large negative margin.
- Wait for an admin to view that image (or, for reproduction, just view the document as an admin).
Expected result:
No log message is produced as no code is executed (or maybe a message for a missing CSRF token is displayed).
Actual result:
Log messages in the form
2023-04-17 16:26:46,646 [qtp320304382-2147 - http://localhost:9015/xwiki/bin/edit/Foo/WebHome?template=&parent=Main.WebHome&title=%24services.logging.getLogger%28%22foo%22%29.error%28%22Script+executed%21%22%29&form_token=9dWcJtMtEfSDgs9G20h6vw] ERROR foo - Script executed!
are displayed, showing that the Velocity code has been executed. The script is executed with the rights of the admin user, thus granting programming right. While the length of the title is limited, it should be possible to load and evaluate further code, e.g., from a document that the attacker controls.
This demonstrates a successful CSRF attack with remote code execution. This is similar to XWIKI-20386 just with the create action. It is probably similarly old.