Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-6740

PR leak in Activity Stream

    XMLWordPrintable

Details

    • Bug
    • Resolution: Cannot Reproduce
    • Critical
    • None
    • 3.1
    • Event Stream
    • security, pr leak
    • Unknown

    Description

      Currently, Main.Activity (provided in the default XAR) has to be stored with PR.

      Since the user messages are rendered as-is, we can inject XWiki markup to include another page in the same context as follows:
      1. Log in as an unprivileged user with write access to Some.Document
      2. post this user message:

      {{/html}}

{{include context="current" document="Some.Document"/}}

{{html}}

      3. put some groovy code does something nasty into Some.Document and view Main.Activity

      Attachments

        Issue Links

          depends on

          Task - A task that needs to be done. XWIKI-7879 Refactor to confine delegation of programming rights.

          • Critical - Crashes, loss of data, severe memory leak.
          • In Progress
          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-6720 XSS possible in the Activity stream trough User Statuses and User Messages

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-7894 Protect against {{/html}} injection

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              nickless Alex Busenius
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: