Headline
CVE-2023-40572: XWIKI-20849: Require a CSRF token in the create action · xwiki/xwiki-platform@4b20528
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the confidentiality, integrity and availability of the whole XWiki installation. When a user with script right views this image and a log message ERROR foo - Script executed!
appears in the log, the XWiki installation is vulnerable. This has been patched in XWiki 14.10.9 and 15.4RC1 by requiring a CSRF token for the actual page creation.
Expand Up
@@ -23,6 +23,7 @@
import java.util.Locale;
import java.util.Map;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Provider;
import javax.inject.Singleton;
Expand Down Expand Up
@@ -96,6 +97,9 @@ public class CreateAction extends XWikiAction
*/
private static final String LOCAL_SERIALIZER_HINT = "local";
@Inject
private CSRFToken csrf;
/**
* The action to perform when creating a new page from a template.
*
Expand Down Expand Up
@@ -185,9 +189,12 @@ public String render(XWikiContext context) throws XWikiException
checkRights(newDocumentReference.getLastSpaceReference(), context);
// Check if the document to create already exists and if it respects the name strategy
// Also check the CSRF token.
XWikiDocument newDocument = context.getWiki().getDocument(newDocumentReference, context);
if (handler.isDocumentAlreadyExisting(newDocument) || handler.isDocumentPathTooLong(newDocumentReference)
|| !this.isEntityReferenceNameValid(newDocumentReference)) {
|| !this.isEntityReferenceNameValid(newDocumentReference)
|| !this.csrf.isTokenValid(context.getRequest().getParameter(“form_token”)))
{
return CREATE_TEMPLATE;
}
Expand Down Expand Up
@@ -334,8 +341,7 @@ private String getRedirectParameters(String parent, String title, String templat
redirectParams += “&title=” + Util.encodeURI(title, null);
}
// Both the save and the edit action might require a CSRF token
CSRFToken csrf = Utils.getComponent(CSRFToken.class);
redirectParams += “&form_token=” + Util.encodeURI(csrf.getToken(), null);
redirectParams += “&form_token=” + Util.encodeURI(this.csrf.getToken(), null);
return redirectParams;
}
Expand Down
Related news
### Impact The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the confidentiality, integrity and availability of the whole XWiki installation. To reproduce, the XWiki syntax `[[image:path:/xwiki/bin/create/Foo/WebHome?template=&parent=Main.WebHome&title=$services.logging.getLogger(%22foo%22).error(%22Script%20executed!%22)]]` can be added to any place that supports XWiki syntax like a comment. When a user with script right views this image and a log message `ERROR foo - Script executed!` appears in the log, the XWiki installation is vulnerable. ### Patches This has been patched in XWiki 14.10.9 and 15.4RC1 by requiring a CSRF token for the actual page creation. ### Workarounds There are no known workarounds. ### References * https://jira.xwiki.org/browse/XWIKI-20849 * https://github.com/xwiki/xwiki-platform/commit/4b20528808d0c311290b0d9ab2cfc44063380ef7