Headline
CVE-2023-32068: Open Redirect vulnerability discovered in the latest XWiki platform
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 14.10.4 it’s possible to exploit well known parameters in XWiki URLs to perform redirection to untrusted site. This vulnerability was partially fixed in the past for XWiki 12.10.7 and 13.3RC1 but there is still the possibility to force specific URLs to skip some checks, e.g. using URLs like http:example.com in the parameter would allow the redirect. The issue has now been patched against all patterns that are known for performing redirects. This issue has been patched in XWiki 14.10.4 and 15.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
**Type: ** Bug
Resolution: Solved By
**Priority: ** Major
Fix Version/s: None
Affects Version/s: 14.6
Documentation in Release Notes:
N/A
Hello XWiki team,
I discovered an open redirect vulnerability in the XWiki platform in the xredirect parameter.
PoC:
If a victim goes to the following url: https://xwiki/bin/login/XWiki/XWikiLogin?xredirect=//veryevilwebsite.evil they will be redirected to https://veryevilwebsite.evil
This is because the exact value of the xredirect param (“//veryevilwebsite.evil”) is sent to the Location header.
Recommended Fix:
Consider removing every forward and backward slash except for one in the xredirect param as this will inform the browser the path is relative to the site and not an absolute one.
Thanks,
depends on
XWIKI-20549 Provide a new script service API to check trustfulness of an URI
- Closed
duplicates
XWIKI-19994 Redirect parameter xredirect in login/logout can link to external site
- Closed
Related news
### Impact It's possible to exploit well known parameters in XWiki URLs to perform redirection to untrusted site. This vulnerability was partially fixed in the past for XWiki 12.10.7 and 13.3RC1 but there is still the possibility to force specific URLs to skip some checks, e.g. using URLs like `http:example.com` in the parameter would allow the redirect. ### Patches The issue has now been patched against all patterns that we know about for performing redirect. It also performs a real URI parsing that should protect in most cases. This has been patched in XWiki 14.10.4 and 15.0. ### Workarounds The only workaround is to upgrade XWiki. ### References * JIRA ticket: https://jira.xwiki.org/browse/XWIKI-20096 * JIRA ticket about the improvment actually fixing the vulnerability: https://jira.xwiki.org/browse/XWIKI-20549 * Previous advisory about open redirect: https://github.com/advisories/GHSA-jp55-vvmf-63mv ### For more information If you have any questions or comments abo...