Headline
CVE-2022-41927: XWIKI-19748: Wrong error code in tags · xwiki/xwiki-platform@7fd4cda
XWiki Platform is vulnerable to Cross-Site Request Forgery (CSRF) that may allow attackers to delete or rename tags without needing any confirmation. The problem has been patched in XWiki 13.10.7, 14.4.1 and 14.5RC1. Workarounds: It’s possible to patch existing instances directly by editing the page Main.Tags and add this kind of check, in the code for renaming and for deleting: #if (!$services.csrf.isTokenValid($request.get('form_token'))) #set ($discard = $response.sendError(401, "Wrong CSRF token")) #end
@@ -112,19 +112,23 @@ $xwiki.ssx.use(‘Main.Tags’)##
</form>
{{/html}}
#elseif ($do == ‘renameTag’)
## Rename tag
#set ($renameTo = “$!{request.get(‘renameTo’)}”)
#set ($success = false)
#if ($renameTo != ‘’)
#set ($success = $xwiki.tag.renameTag($tag, $renameTo))
#end
#if ($success == true || $success == ‘OK’)
#set ($urlEscapedRenameTo = $escapetool.url($renameTo))
$response.sendRedirect($doc.getURL('view’, “do=viewTag&tag=${urlEscapedRenameTo}&renamedTag=${urlEscapedTag}”))
#if (!$services.csrf.isTokenValid($request.get(‘form_token’)))
#set ($discard = $response.sendError(401, “Wrong CSRF token”))
#else
{{error}}$services.localization.render('xe.tag.rename.failure’, ["//${wikiEscapedTag}//", “//${services.rendering.escape($renameTo, ‘xwiki/2.1’)}//”]){{/error}}
## Rename tag
#set ($renameTo = “$!{request.get(‘renameTo’)}”)
#set ($success = false)
#if ($renameTo != ‘’)
#set ($success = $xwiki.tag.renameTag($tag, $renameTo))
#end
#if ($success == true || $success == ‘OK’)
#set ($urlEscapedRenameTo = $escapetool.url($renameTo))
$response.sendRedirect($doc.getURL('view’, “do=viewTag&tag=${urlEscapedRenameTo}&renamedTag=${urlEscapedTag}”))
#else
{{error}}$services.localization.render('xe.tag.rename.failure’, ["//${wikiEscapedTag}//", “//${services.rendering.escape($renameTo, ‘xwiki/2.1’)}//”]){{/error}}
#end
#end
#elseif ($do == ‘prepareDelete’)
@@ -142,14 +146,18 @@ $xwiki.ssx.use(‘Main.Tags’)##
</form>
{{/html}}
#elseif ($do == ‘deleteTag’)
## Delete tag
#set ($success = $xwiki.tag.deleteTag($tag))
#if ($success == true || $success == ‘OK’)
$response.sendRedirect($doc.getURL('view’, “deletedTag=${urlEscapedTag}”))
#if (!$services.csrf.isTokenValid($request.get(‘form_token’)))
#set ($discard = $response.sendError(401, “Wrong CSRF token”))
#else
{{error}}$services.localization.render('xe.tag.delete.failure’, [“//${wikiEscapedTag}//”]){{/error}}
## Delete tag
#set ($success = $xwiki.tag.deleteTag($tag))
#if ($success == true || $success == ‘OK’)
$response.sendRedirect($doc.getURL('view’, “deletedTag=${urlEscapedTag}”))
#else
{{error}}$services.localization.render('xe.tag.delete.failure’, [“//${wikiEscapedTag}//”]){{/error}}
#end
#end
#else
Related news
### Impact It's possible with a simple request to perform deletion or renaming of tags without needing any confirmation, by using a CSRF attack. ### Patches The problem has been patched in XWiki 13.10.7, 14.4.1 and 14.5RC1. ### Workarounds It's possible to patch existing instances directly by editing the page Main.Tags and add this kind of check, in the code for renaming and for deleting: ``` #if (!$services.csrf.isTokenValid($request.get('form_token'))) #set ($discard = $response.sendError(401, "Wrong CSRF token")) #end ``` See the commit with the fix for more information about patching the page: https://github.com/xwiki/xwiki-platform/commit/7fd4cda0590180c4d34f557597e9e10e263def9e ### References * https://jira.xwiki.org/browse/XWIKI-19748 * https://github.com/xwiki/xwiki-platform/commit/7fd4cda0590180c4d34f557597e9e10e263def9e ### For more information If you have any questions or comments about this advisory: * Open an issue in [JIRA](https://jira.xwiki.org) * Ema...