Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-21335

Privilege escalation (PR) from account through UIExtension parameters

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. As a user without script or admin right, edit your user profile with the object editor.
      2. Add a UIExtension object.
      3. Set the values as follows:
        1. Extension Point ID: org.xwiki.platform.panels.Applications
        2. Extension ID: platform.panels.myFakeApplication
        3. Extension parameters:  
          label=I got programming right: $services.security.authorization.hasAccess('programming')
target=Main.WebHome
targetQueryString=
icon=icon:bomb
        4. Extension Scope: "Current User".
      4. Save the document and open any document.

      Expected result:

      No application entry is displayed or the Velocity code isn't executed.

      Actual result:

      A new entry is displayed in the application panel with label "I got programming right: true".

      I also reproduced this issue on XWiki 7.2 but I assume it is older. Here screenshots from 7.2:

      The same issue can also be reproduce with other UI extension points like export formats.

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. XWIKI-649 Mechanism for inserting custom content in pre-existing code

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Security Advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: