Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-23109

Configuration files can be accessed through jsx and sx endpoints

    XMLWordPrintable

Details

    • Integration
    • Unknown
    • N/A

    Description

      It's possible to get access and read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false

      This can be reproduced apparently on any tomcat, and it's easily reproduced on a docker image of XWiki. This could allow an attacker to get access to sensitive data such as all credentials of the DB.

      From first analysis vulnerable code seems to be: https://github.com/xwiki/xwiki-platform/blob/f34d6bb28caf7f862eb5d98ea844b734924a8865/xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/com/xpn/xwiki/web/sx/SxResourceSource.java#L59-L63

      Attachments

        Issue Links

          depends on

          Task - A task that needs to be done. XCOMMONS-3327 Provide an internal helper to safely access ClassLoader resources

          • Major - Major loss of function.
          • Closed
          is caused by

          New Feature - A new feature of the product, which has yet to be developed. XWIKI-8148 Add support for loading Skin Extension JS and CSS from JAR files

          • Major - Major loss of function.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              surli Simon Urli
              Gregor, Nils Model
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: