Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-2782

xwiki.cfg inclusi0n from URL for Girliz

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • None
    • None
    • Web - Templates & Resources
    • None

    Description

      The xpart.vm template do :

      #set ($vm = $request.vm)
#template("xwikivars.vm")
#template($vm)

      So if vm == ../WEB-INF/xwiki.cfg, we can get the xwiki.cfg file, or any other file without having any account on the wiki.

      for exemple: http://victim.com/xwiki/bin/login/XWiki/XWikiLogin?xpage=xpart&vm=../WEB-INF/xwiki.cfg

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-2580 Improve file access sandboxing

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              softec Denis Gervalle
              raffaello Raffaello Pelagalli
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: