Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-21810

XSS through XClass name in string properties

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A
    • Awaiting Committer feedback

    Description

      Steps to reproduce:

      1. As a user without script or programming right, create a (non-terminal) document named " + alert(1) + " (the quotes need to be part of the name).
      2. Edit the class.
      3. Add a string property name "test".
      4. Edit using the object editor and add an object of the created class
      5. Get an admin to open <xwiki-server>/xwiki/bin/view/%22%20%2B%20alert(1)%20%2B%20%22/?viewer=display&type=object&property=%22%20%2B%20alert(1)%20%2B%20%22.WebHome.test&mode=edit where <xwiki-server> is the URL of your XWiki installation.

      Expected result:

      No alert is displayed.

      Actual result:

      An alert with content "1" is displayed.

      This demonstrates an XSS vulnerability as the class name is inserted into the "onfocus" attribute without escaping. The relevant code is in https://github.com/xwiki/xwiki-platform/blob/82c31ea56be4ac756140f082d216268e1dca6ac8/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/objects/classes/StringClass.java#L118

      Attachments

        Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-1780 Improve rights management

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Security Advisory

          Activity

            People

              mleduc Manuel Leduc
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: