Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22462

The lesscss script service allows cache clearing without programming right

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      The lesscss script service checks programming right but only of the context document, not of the secure document. Further, it doesn't take dropped permissions into account. While this is a security issue, the impact is minimal as this still requires script right to exploit and the only impact is emptying caches, which impacts the performance and therefore availability of the instance. Script right already allows unlimited execution of scripts and thereby a similar impact.

      The affected code can be found at https://github.com/xwiki/xwiki-platform/blob/96caad053c14fc5546e9bc141bc284e6112dd48e/xwiki-platform-core/xwiki-platform-lesscss/xwiki-platform-lesscss-script/src/main/java/org/xwiki/lesscss/LessCompilerScriptService.java#L182

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: