Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-9hqh-fmhg-vq2j: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml

Impact

Any user with the right to edit his personal page can follow one of the scenario below:

Scenario 1:

  • Log in as a simple user with just edit rights on the user profile
  • Go to the user’s profile
  • Upload an attachment in the attachment tab at the bottom of the page (any image is fine)
  • Click on “rename” in the attachment list and enter {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}.png as new attachment name and submit the rename
  • Go back to the user profile
  • Click on the edit icon on the user avatar
  • Hello from groovy! is displayed as the title of the attachment

Scenario 2:

  • Log in as a simple user with just edit rights on a page
  • Create a Page MyPage.WebHome
  • Create an XClass field of type String named avatar
  • Add an XObject of type MyPage.WebHome on the page
  • Insert an attachmentSelector macro in the document with the following values:
    • classname: MyPage.WebHome
    • property: avatar
    • savemode: direct
    • displayImage: true
    • width: ]] {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}. You’ll find below a snippet of an attachmentSelector macro declaration.
  • Display the page
  • Use the attachment picker to select an image
  • Hello from groovy is displayed aside the image

Example of an attachmentSelector macro declaration:

`{{attachmentSelector classname="MyPage.WebHome" property="avatar" savemode="direct" displayImage="true" width="]] {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}println(~"Hello from groovy!~"){{/groovy~}~}{{/async~}~}"/}}`

Note: The issue can also be reproduced by inserting the dangerous payload in the height or alt macro properties.

Patches

The issue can be fixed on a running wiki by updating XWiki.AttachmentSelector with the versions below:

  • 14.5-rc-1+: https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d45bcd64a7#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
  • 14.4.2+: https://github.com/xwiki/xwiki-platform/commit/c02f8eb1f3c953d124f2c097021536f8bc00fa8d#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
  • 13.10.7+: https://github.com/xwiki/xwiki-platform/commit/efd0df0468d46149ba68b66660b93f31b6318515#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23

Workarounds

No known workaround.

References

  • https://jira.xwiki.org/browse/XWIKI-19800

For more information

If you have any questions or comments about this advisory:

ghsa
#web#mac#git#jira

Impact

Any user with the right to edit his personal page can follow one of the scenario below:

Scenario 1:

  • Log in as a simple user with just edit rights on the user profile
  • Go to the user’s profile
  • Upload an attachment in the attachment tab at the bottom of the page (any image is fine)
  • Click on “rename” in the attachment list and enter {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println(“Hello from groovy!”){{/groovy}}{{/async}}.png as new attachment name and submit the rename
  • Go back to the user profile
  • Click on the edit icon on the user avatar
  • Hello from groovy! is displayed as the title of the attachment

Scenario 2:

  • Log in as a simple user with just edit rights on a page
  • Create a Page MyPage.WebHome
  • Create an XClass field of type String named avatar
  • Add an XObject of type MyPage.WebHome on the page
  • Insert an attachmentSelector macro in the document with the following values:
    • classname: MyPage.WebHome
    • property: avatar
    • savemode: direct
    • displayImage: true
    • width: ]] {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println(“Hello from groovy!”){{/groovy}}{{/async}}. You’ll find below a snippet of an attachmentSelector macro declaration.
  • Display the page
  • Use the attachment picker to select an image
  • Hello from groovy is displayed aside the image

Example of an attachmentSelector macro declaration:

`{{attachmentSelector classname="MyPage.WebHome" property="avatar" savemode="direct" displayImage="true" width="]] {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}println(~"Hello from groovy!~"){{/groovy~}~}{{/async~}~}"/}}`

Note: The issue can also be reproduced by inserting the dangerous payload in the height or alt macro properties.

Patches

The issue can be fixed on a running wiki by updating XWiki.AttachmentSelector with the versions below:

  • 14.5-rc-1+: xwiki/xwiki-platform@eb15147#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
  • 14.4.2+: xwiki/xwiki-platform@c02f8eb#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
  • 13.10.7+: xwiki/xwiki-platform@efd0df0#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23

Workarounds

No known workaround.

References

  • https://jira.xwiki.org/browse/XWIKI-19800

For more information

If you have any questions or comments about this advisory:

  • Open an issue in Jira XWiki.org
  • Email us at Security Mailing List

References

  • GHSA-9hqh-fmhg-vq2j

Related news

CVE-2022-41928: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml

XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml. The issue can also be reproduced by inserting the dangerous payload in the `height` or `alt` macro properties. This has been patched in versions 13.10.7, 14.4.2, and 14.5. The issue can be fixed on a running wiki by updating `XWiki.AttachmentSelector` with the versions below: - 14.5-rc-1+: https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d45bcd64a7#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 - 14.4.2+: https://github.com/xwiki/xwiki-platform/commit/c02f8eb1f3c953d124f2c097021536f8bc00fa8d#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 - 13.10.7+: https://github.com/xwiki/xwiki-platform/commit/efd0df0468d46149ba68b66660b93f31b6318515#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23