Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
12.8-rc-1, 12.6.3, 11.10.11
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
- Edit a new page in the object editor as user without script or programming right.
- Add an object of type XWiki.WikiMacroClass with the following values:
- Macro id: children
- Supports inline mode: Yes
- Macro visibility: Current user
- Macro content availability: No content
- Macro code:
{{wikimacroparameter name="content" /}}
- Add an object of type XWiki.WikiMacroParameterClass with the following values:
- Parameter name: content
- Parameter mandatory: No
- Parameter default value:
{{groovy}}println("Hello from Groovy!"){{/groovy}} - Parameter type: Wiki
- Save the page.
- Open the XWiki.ChildrenMacro page
Expected result:
Either the children are regularly displayed, or an error is displayed that the user doesn't have programming right.
Actual result:
"Hello from Groovy!" is displayed in the content of the page, showing that the user gained programming right.
This has most likely been caused by XWIKI-17759, thus the affects version.
This attack could in theory even be executed from the user's profile page, meaning that it should work in any wiki where the user can at least edit his/her own profile, which is the case by default.
Attachments
Issue Links
- links to