Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-5223

XWiki2.0 syntax injection possible everywhere xwiki2 code generates a page with user input.

    XMLWordPrintable

Details

    • security, patch
    • Unit
    • Unknown

    Description

      To repeat:
      Make sure Registration has PR.

      http://127.0.0.1:8081/xwikiTrunk/bin/view/XWiki/Registration?register_first_name={{/html}}{{groovy}}new Random().unsafe.putAddress(0,0);{{/groovy}}
      

      The troubling thing is Registration does everything "right", xml is escaped so there can be no script injection (so quotes cannot be injected), but the xml escaping does not escape '{' so the html macro can simply be ended.

      This is not an issue with syntax 1.0 because groovy is started with a <% which is xml escaped, also the output from the velocity renderer cannot be interpreted as more velocity.

      A possible quick solution would be the add html escaping of '{'.

      Attachments

        Activity

          People

            calebjamesdelisle CalebJamesDeLisle
            calebjamesdelisle CalebJamesDeLisle
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: