Details
-
Bug
-
Resolution: Fixed
-
Major
-
9.6-rc-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
Create a WebJar extension that contains a malicious path containing ../ (many times, not just once). Publish the extension in an extension repository that is configured in XWiki. Install the extension without programming right.
Create a page that references the malicious path with a script like
$xwiki.linkx.use($services.webjars.url('my.webjar:malicious', '../../../malicious.txt'))
Perform an HTML export of that page.
Expected result:
The malicious file isn't saved anywhere.
Actual result:
The malicious file is saved in an attacker-controlled location based on XWiki's temporary directory. This could allow an attacker, e.g., to override important configuration files and possibly change the superadmin password for example.
I haven't actually reproduced this, this is based on a code path analysis by SonarQube and limited unit tests of the affected code. It cannot be excluded that the attack doesn't work in practice.
Note that even if the attack works, the conditions are quite theoretical, having admin right is not something an attacker should have.
Attachments
Issue Links
- links to