Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-23093

SQL injection through getdeleteddocuments.vm template sort parameter

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      It's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value.

      One can see the result of the injection with http://127.0.0.1:8080/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=injected (this example does not work, but it shows that an HQL query was executed with the passed value which look nothing like an order by value, without any kind of sanitation).

      Attachments

        Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-13164 Be able to also restore deleted children pages when restoring a parent nested page

          • Major - Major loss of function.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              tmortagne Thomas Mortagne
              zeroday
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: