Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4873

Security issue: Editing pages using URL

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 3.2 M1
    • 2.3, 2.2.6, 2.3.1, 2.4 RC1, 2.3.2, 2.4
    • Other
    • None
    • Linux, Jetty + HSQLDB
    • patch, security, csrf
    • Unit, Integration
    • Hard

    Description

      A logged in user with "Edit" rights is allowed to edit pages with a simple GET request, which can be used for CSRF.

      To reproduce (on localhost), enter the following URL:

      Edit the title of Main.WebHome:
      http://localhost:8080/xwiki/bin/preview/Main/WebHome?title=qqqqq&xeditaction=edit&action_save=Save+%26+View

      Edit the content of Main.WebHome:
      http://localhost:8080/xwiki/bin/preview/Main/WebHome?content=qwert&xeditaction=edit&action_save=Save+%26+View

      Put Main.WebHome into recycle bin:
      http://localhost:8080/xwiki/bin/delete/Main/WebHome?confirm=1

      It is also possible to comment the change, change the Wiki syntax, redirect to another page after edit etc.

      The affected user does not have to click on such URL, it is enough to visit any website containing something like:

      <img src="http://localhost:8080/xwiki/bin/preview/Main/WebHome?title=p0wned&xeditaction=edit&action_save=Save+%26+View" />
      

      Forbidding to perform such administrative tasks using GET requests will make this issue harder to exploit, but not fix it, since the attacker still might be able to inject a script to perform a POST request.

      Attachments

        Issue Links

          Activity

            People

              nickless Alex Busenius
              nickless Alex Busenius
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: