Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-21472

Remote code execution via DatabaseSearch

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. Open the database search at Main.DatabaseSearch
      2. Search forĀ  
        }}}{{async async=false}}{{groovy}}println("Hello from" + " search text:" + (23 + 19)){{/groovy}}{{/async}}
      1. Click on the RSS feed link below the search
      2. View the source of the page

      Expected result:

      An RSS feed where title and description contain the entered text is displayed.

      Actual result:

      The RSS feed is broken, the title is "RSS feed for search on Hello from search text:42". This clearly shows that the Groovy code has been executed.

      This demonstrates remote code execution from view right on the database search (by default set for guests).

      The exploitable code exists at least since XASEARCH-1 which has been released in XWiki 2.4 M1.

      Attachments

        Issue Links

          links to

          Web Link Security Advisory

          Activity

            People

              pjeanjean Pierre Jeanjean
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: