Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-21424

CSRF remote code execution through the realtime HTML Convertor API

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. As a user without script or admin right create a comment or any other content that is viewed by admins that includes the following image [[image:path:/xwiki/bin/get/RTFrontend/ConvertHTML?wiki=xwiki&space=Main&page=WebHome&text=%7B%7Bvelocity%7D%7D%24logtool.error%28%22Hello%20from%20Velocity%20%21%22%29%7B%7B%2Fvelocity%7D%7D]]. Optionally, position the image outside the view by, e.g., using a negative margin.
      2. As admin, see that comment.

      Expected result:

      Nothing happens.

      Actual result:

      The error "Hello from Velocity!" gets logged.

      This demonstrates a CSRF vulnerability in the realtime HTML Convertor API that allows remote code execution. Any logged-in user can embed Velocity scripts or Groovy programs in any content they have write access to, that will be executed whenever a user with the necessary rights browses the content. Having an admin click the link through other means doesn't even require an account.

      Attachments

        Issue Links

          is caused by

          Task - A task that needs to be done. XWIKI-18860 Cleanup and integrate the Netflux front-end (realtime-netflux-frontend)

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Security Advisory

          Activity

            People

              pjeanjean Pierre Jeanjean
              pjeanjean Pierre Jeanjean
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: