Headline
CVE-2023-29526: Async and display macro allow displaying and interacting with any document in restricted mode
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it’s possible to display or interact with any page a user cannot access through the combination of the async and display macros. A comment with either macro will be executed when viewed providing a code injection vector in the context of the running server. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8, and 13.10.11. Users are advised to upgrade. There are no known workarounds for this issue.
Steps to reproduce:
Enable comments for guests by giving guests comment rights
As a guest, create a comment with content
{{async}}{{display reference="Menu.WebHome" /}}{{/async}}
and another one with content
{{async context="request.parameters"}}{{display reference="FlamingoThemes.WebHome" /}}{{/async}}
Open the comments viewer from the menu (appends ?viewer=comments to the URL)
Right-click and copy one of the URLs for "Use this theme", e.g., the URL of the “Cyborg” theme. It should look like http://localhost:8090/xwiki/bin/view/FlamingoThemes/?action=setTheme&theme=FlamingoThemes.Cyborg&form_token=bw2VMc2UsUhxQk6LS1yYoQ but with a different token.
Paste the copied URL after the current URL in the address bar and replace everything before the ? by & and open this new URL.
Reload the page.
Expected result:
The menu home page isn’t displayed as guests don’t have view rights on Menu.WebHome and the theme is unchanged.
Actual result:
The menu home page is displayed and the theme has been changed to the Cyborg theme.
This demonstrates that the display macro inside the async macro allows displaying arbitrary documents in the comments viewer as the context user is now superadmin and that those documents aren’t restricted in any way and we can interact with them via the request parameters and execute actions as superadmin when the documents contain such code as the theme selector. Already with the theme selector, we’ve also obtained the CSRF token of superadmin which is useful in case some document requires it. I’ve experienced errors (generally, null pointer exceptions) with some documents like CKEditor.HTMLConverter (which would be the key to universal RCE) so I’m not sure how universally this can be used to gain privileges, maybe also more context entries need to be preserved to prevent these errors.
I’ve reproduced this issue on 14.9 and on the most recent 14.10 snapshot but it seems likely that this issue can also be reproduced on older versions of XWiki.
Related news
### Impact It's possible to display any page you cannot access through the combination of the async and display macro. Steps to reproduce: 1. Enable comments for guests by giving guests comment rights 2. As a guest, create a comment with content ```{{async}}{{display reference="Menu.WebHome" /}}{{/async}}``` 3. Open the comments viewer from the menu (appends ?viewer=comments to the URL) -> the `Menu.WebHome` is displayed while the expectation would be to have an error that the current user is not allowed to see it ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8, and 13.10.11. ### Workarounds There is no known workaround. ### References https://jira.xwiki.org/browse/XWIKI-20394 https://jira.xwiki.org/browse/XRENDERING-694 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])