Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
2.3
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
- Login as a regular user without script, admin or programming right.
- Edit your user profile (or any other editable page) and add an object of type "XWiki.ConfigurableClass" ("Custom configurable sections").
- Set "Display in section" to "other".
- Set "Heading" to
{{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from Heading succeeded!"); println("Hello from Groovy!"){{/groovy}}{{/async}} - Set "Display in Category" to "other"
- Set "Scope" to "Wiki and all spaces"
- Click "Save"
- Open <xwiki-host>/xwiki/bin/view/Main/?sheet=XWiki.AdminSheet&viewer=content&editor=globaladmin§ion=other where <xwiki-host> is the URL of your XWiki installation.
Expected result:
No error log is displayed, if at all, the full value of heading is displayed.
Actual result:
"Hello from Groovy!" is displayed and an error
2023-07-10 18:08:28,006 [org.xwiki.rendering.async.internal.AsyncRendererJob@28283748([async, macro, xwiki:XWiki.ConfigurableClass, 40, author, xwiki:XWiki.Admin, rendering.restricted, false, secureDocument, xwiki:XWiki.ConfigurableClass, 268])] ERROR attacker - Attack from Heading succeeded!
is displayed in the log, showing that the Groovy code has been executed.
It is not clear to me if this vulnerability has been introduced in XWIKI-18222 or if it has just been modified, so the affects version of 13.0 might not be fully accurate.
Attachments
Issue Links
- links to