Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-9360

URI Based Reflected XSS on XWIKI 4.5.2

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Fix
    • Critical
    • None
    • 4.5.2
    • Web - Templates & Resources
    • Apache Tomcat 7, Mysql 5.5
      XWIKI 4.5.2

      IE 8 with XSS filter disabled.
    • Easy

    Description

      Found a URI based reflected XSS on XWIKI 4.5.2
      I tested it on XWIKI 5.1 and found that 5.1 is not vulnerable to this attack. However I haven't checked 4.5.3 to 5.0

      There is no vulnerable parameter. When we pass on the payload on any URL, the attack is triggered.

      POC: http://localhost:8080/xwiki/bin/view/Main/WebHome?"/><script>alert(document.cookie)</script>

      The problem is with the links on the export dropdown menu as there this attack is escaping the anchor tag and the script tag gets injected to the HTML for rendering on browser.

      Wanted to add a screenshot as POC, but there is not attach file option.

      Attachments

        Issue Links

          depends on

          Improvement - An improvement or enhancement to an existing feature or task. XCOMMONS-435 Add a tool to sanitize query string

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Pull Request

          Activity

            People

              gdelhumeau Guillaume Delhumeau
              bigboss Abhisek
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: