Headline
CVE-2023-45144: Improve escaping (#30) · xwikisas/identity-oauth@d805d31
com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on OAuth authorizations. When a user logs in via the OAuth method, the identityOAuth parameters sent in the GET request is vulnerable to cross site scripting (XSS) and XWiki syntax injection. This allows remote code execution via the groovy macro and thus affects the confidentiality, integrity and availability of the whole XWiki installation. The issue has been fixed in Identity OAuth version 1.6. There are no known workarounds for this vulnerability and users are advised to upgrade.
Expand Up @@ -21,42 +21,53 @@ #macro (initConfigObjects $configDocName $extraObjectClassPropPrefixes $translationPrefixesP) #set($formId = “${section.toLowerCase()}_${configDocName1}”) #set($configDoc = $xwiki.getDocument($configDocName))
#set($classNameIO="IdentityOAuth.IdentityOAuthConfigClass") #set($propNamePrefixIO="${configDoc.fullName}_${classNameIO}_0") #set($objIO = $configDoc.getObject($classNameIO))
## Handle translation prefixes. #set($translationPrefixes = []) #foreach($p in $translationPrefixesP) #set($nuts=$translationPrefixes.add($p)) #end #set($nuts=$translationPrefixes.add(‘IdentityOAuth.IdentityOAuthConfigClass_’))
## Handle extra class properties. #foreach($x in $extraObjectClassPropPrefixes) #set($shhh = $x.add($x[0])) #set($x[0] = $configDoc.getObject($x[0])) #end #end
## t: shorthand for translation ## ## Macros used in managing providers translations. t is for translation and tp for translation with parameters. ## #macro (alignWithTranslationPrefixes $name) #set($tn = []) #foreach($p in $translationPrefixes) #set($nuts=$tn.add(“${p}${name}”)) #end #end #macro (t $name) #macro (getTranslation $name $usage $translation) #alignWithTranslationPrefixes($name) $services.localization.render($tn) #if ($usage == ‘js’) #set ($translation = $escapetool.javascript($services.localization.render($tn))) #else #set ($translation = $escapetool.xml($services.localization.render($tn))) #end #end
## tp: shorthand for translation with parameters #macro (tp $name $params)## ## Display translation. #macro (t $name $usage) #getTranslation($name $usage $translation) $translation #end ## Get translation with parameters. #macro (tp $name $params $usage $translation) #alignWithTranslationPrefixes($name) #set ($msg = $services.localization.render($tn,$params))## ## convert to <a href="link">link-text</a> for the simple wiki syntax of links $stringtool.replacePattern($msg, '\[\[([^>]*)>>([^\]]*)\]\]', ‘<a href="$2">$1</a>’)## #set ($msg = $services.localization.render($tn, $params))## #if ($usage == ‘js’) #set ($translation = $escapetool.javascript($msg)) #else #set ($translation = $escapetool.xml($msg)) #end #end
## displayInput: displays the form element of the relevant property of the object having removed the Expand Down Expand Up @@ -93,7 +104,8 @@ // absUrl: $absUrl #set($serverReturn = “${absUrl.substring(0, $absUrl.indexOf('/’,8))}${serverReturn}”) #end window.placeHolderForRedirectUrl = '#tp("redirectUrl.placeHolderMessage", [“${serverReturn}”])'; #tp("redirectUrl.placeHolderMessage", [“${serverReturn}”], "js", $translation) window.placeHolderForRedirectUrl = "${translation}"; var p = window.location.href.indexOf(‘/admin’); window.browserReturnUrl = (p === -1 ? window.location.href : Expand Down
Related news
### Impact When login via the OAuth method, the identityOAuth parameters, sent in a GET request is vulnerable to XSS and XWiki syntax injection. This allows remote code execution via the groovy macro and thus affects the confidentiality, integrity and availability of the whole XWiki installation. The vulnerability is in [this part](https://github.com/xwikisas/identity-oauth/blob/master/ui/src/main/resources/IdentityOAuth/LoginUIExtension.vm#L58) of the code. ### Patches The issue has been fixed in Identity OAuth version 1.6 by https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6 . The fix is in the content of the [IdentityOAuth/LoginUIExtension](https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6#diff-2ab2e0716443d790d7d798320e4a45151661f4eca5440331f4a227b29c87c188) file ### Workarounds There are no known workarounds besides upgrading. ### References _Are there any links users can visit to find out more?...