Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22760

Remote code execution through default value of wiki macro wiki-type parameters

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. Edit a new page in the object editor as user without script or programming right.
      2. Add an object of type XWiki.WikiMacroClass with the following values:
        • Macro id: children
        • Supports inline mode: Yes
        • Macro visibility: Current user
        • Macro content availability: No content
        • Macro code:
          {{wikimacroparameter name="content" /}}
      3. Add an object of type XWiki.WikiMacroParameterClass with the following values:
        • Parameter name: content
        • Parameter mandatory: No
        • Parameter default value:
          {{groovy}}println("Hello from Groovy!"){{/groovy}}
        • Parameter type: Wiki
      4. Save the page.
      5. Open the XWiki.ChildrenMacro page

      Expected result:

      Either the children are regularly displayed, or an error is displayed that the user doesn't have programming right.

      Actual result:

      "Hello from Groovy!" is displayed in the content of the page, showing that the user gained programming right.

      This has most likely been caused by XWIKI-17759, thus the affects version.

      This attack could in theory even be executed from the user's profile page, meaning that it should work in any wiki where the user can at least edit his/her own profile, which is the case by default.

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: