Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-21335

Privilege escalation (PR) from account through UIExtension parameters

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. As a user without script or admin right, edit your user profile with the object editor.
      2. Add a UIExtension object.
      3. Set the values as follows:
        1. Extension Point ID: org.xwiki.platform.panels.Applications
        2. Extension ID: platform.panels.myFakeApplication
        3. Extension parameters: 
          label=I got programming right: $services.security.authorization.hasAccess('programming')
          target=Main.WebHome
          targetQueryString=
          icon=icon:bomb
        4. Extension Scope: "Current User".
      4. Save the document and open any document.

      Expected result:

      No application entry is displayed or the Velocity code isn't executed.

      Actual result:

      A new entry is displayed in the application panel with label "I got programming right: true".

      I also reproduced this issue on XWiki 7.2 but I assume it is older. Here screenshots from 7.2:

      The same issue can also be reproduce with other UI extension points like export formats.

      Attachments

        1. image-2023-09-20-14-58-11-158.png
          158 kB
          Michael Hamann
        2. image-2023-09-20-14-58-45-296.png
          15 kB
          Michael Hamann
        3. image-2023-09-20-14-59-41-772.png
          15 kB
          Michael Hamann
        4. image-2023-09-20-15-00-03-535.png
          36 kB
          Michael Hamann
        5. screenshot-1.png
          159 kB
          Michael Hamann

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: