Headline
CVE-2023-29507: It's possible to execute anything with any author through Document#getAuthors()
XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.
Regression caused by XWIKI-19125 (which introduced Document#getAuthors()).
To reproduce:
As a user having SCRIPT right but not PROGRAMMING right:
- create a document with the following content
{{velocity}} $doc.setContent(‘{{velocity}}$xcontext.context.authorReference{{/velocity}}’) $doc.authors.setContentAuthor(‘xwiki:XWiki.superadmin’) $doc.getRenderedContent() {{/velocity}}
The script show “<p>xwiki:XWiki.superadmin</p>” indicating that it was executed with the right of the superadmin user.
Document#getAuthors() just return directly XWikiDocument#getAuthors() without any kind of wrapper to protect DocumentAuthors#set* calls which have two problem:
- it’s might modify directly the XWikiDocument from the document cache because it does not use getDoc() (which is in charge of closing the XWikiDocument when it’s not already the case)
- while it’s not a lasting problem because any call to #save will override those changes, you can change the author and then call any of the #display or #getRenderingContent methods which are going to rely on those modified authors
Related news
### Impact The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. Example of such attack: ``` {{velocity}} $doc.setContent('{{velocity}}$xcontext.context.authorReference{{/velocity}}') $doc.authors.setContentAuthor('xwiki:XWiki.superadmin') $doc.getRenderedContent() {{/velocity}} ``` ### Patches The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API. ### Workarounds There no easy workaround apart of upgrading. ### References * https://jira.xwiki.org/browse/XWIKI-20380 * https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](https://jira.xwiki.org) * Email us at [security ML](mailto:[email protected])