Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-21478

Privilege escalation (PR) from account via custom skins support

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. As a user without edit, script or admin right, add an object of class `XWiki.XWikiSkins` to your profile. Name it whatever you want and set the Base Skin to `flamingo`.
      2. Add an object of class `XWikiSkinFileOverrideClass` and set the path to `macros.vm` and the content to ```
        #macro(mediumUserAvatar $username)
          #resizedUserAvatar($username 50)
          $services.logging.getLogger('Skin').error("I got programming: $services.security.authorization.hasAccess('programming')")
        #end
        ```
      3. Back to your profile, click `Test this skin`. Force a refresh, just in case.

      Expected result:

      The logs should be empty, or display "I got programming: false" if the user has script rights.

      Actual result:

      An error "ERROR Skin - I got programming: true" is logged.

      Attachments

        Issue Links

          links to

          Web Link Security Advisory

          Activity

            People

              pjeanjean Pierre Jeanjean
              pjeanjean Pierre Jeanjean
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: