Tag
#rce
### Impact Parameters of UI extensions are always interpreted as Velocity code and executed with programming rights. Any user with edit right on any document like the user's own profile can create UI extensions. This allows remote code execution and thereby impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce, edit your user profile with the object editor and add a UIExtension object with the following values: ``` Extension Point ID: org.xwiki.platform.panels.Applications Extension ID: platform.panels.myFakeApplication Extension parameters: label=I got programming right: $services.security.authorization.hasAccess('programming') target=Main.WebHome targetQueryString= icon=icon:bomb Extension Scope: "Current User". ``` Save the document and open any document. If an application entry with the text "I got programming right: true" is displayed, the attack succeeded, if the code in "label" is displayed literally, the XWiki installation isn'...
### Impact The HTML escaping of escaping tool that is used in XWiki doesn't escape `{`, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution. To reproduce in an XWiki installation, open `<xwiki-host>/xwiki/bin/view/Panels/PanelLayoutUpdate?place=%7B%7B%2Fhtml%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bvelocity%7D%7D%23evaluate(%24request.eval)%7B%7B%2Fvelocity%7D%7D%7B%7B%2Fasync%7D%7D&eval=Hello%20from%20URL%20Parameter!%20I%20got%20programming%3A%20%24services.security.authorization.hasAccess(%27programming%27)` where `<xwiki-host>` is the URL of your XWiki installation. If this displays `You are not admin on this place Hello from URL Parameter! I got programming: true`, the installation is vulnerable. ### Patches The vulnerability has been fixed on XWiki 14.10.19, 15.5.5, and 15.9 RC1. ### Workarounds Apart from upgrading, there is no generic workaround. However, replacing `$escapetool.html` by `$escapetool.xml` in XWiki documents f...
### Impact When the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, by getting an admin user to either visit a crafted URL or to view an image with this URL that could be in a comment, the attacker can get the admin to execute arbitrary XWiki syntax including scripting macros with Groovy or Python code. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an XWiki installation, as an admin, click on `<xwiki-host>/xwiki/bin/get/RTFrontend/ConvertHTML?wiki=xwiki&space=Main&page=WebHome&text=%7B%7Bvelocity%7D%7D%24logtool.error%28%22Hello%20from%20Velocity%20%21%22%29%7B%7B%2Fvelocity%7D%7D`. If the error "Hello from Velocity!" gets logged then the installation is vulnerable. ### Patches This vulnerability has been patched in XWiki 14.10.19, 15.5.4 and 15.9. ### Workarounds Update `RTFrontend.ConvertHTML` following t...
### Impact Any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution. To reproduce, as a user without edit, script or admin right, add an object of class `XWiki.XWikiSkins` to your profile. Name it whatever you want and set the Base Skin to `flamingo`. Add an object of class `XWikiSkinFileOverrideClass` and set the path to `macros.vm` and the content to: ``` #macro(mediumUserAvatar $username) #resizedUserAvatar($username 50) $services.logging.getLogger('Skin').error("I got programming: $services.security.authorization.hasAccess('programming')") #end ``` Back to your profile, click `Test this skin`. Force a refresh, just in case. If the error "Skin - I got programming: true" gets logged, the installation is vulnerable. ### Patches This has been patched in XWiki 14.10.19, 15.5.4 and 15.10RC1. ### Workarounds We're not aware of any workaround except upgrading. ##...
### Impact By creating a document with a special crafted documented reference and an `XWiki.SchedulerJobClass` XObject, it is possible to execute arbitrary code on the server whenever an admin visits the scheduler page or the scheduler page is referenced, e.g., via an image in a comment on a page in the wiki. To reproduce on an XWiki installation, click on this link to create a new document : `<xwiki-host>/xwiki/bin/view/%22%3E%5D%5D%7B%7B%2Fhtml%7D%7D%7B%7Basync%20context%3D%22request/parameters%22%7D%7D%7B%7Bvelocity%7D%7D%23evaluate%28%24request/eval%29/`. Then, add to this document an object of type `XWiki.SchedulerJobClass`. Finally, as an admin, go to `<xwiki-host>/xwiki/bin/view/Scheduler/?eval=$services.logging.getLogger(%22attacker%22).error(%22Hello%20from%20URL%20Parameter!%20I%20got%20programming:%20$services.security.authorization.hasAccess(%27programming%27)%22)`. If the logs contain `ERROR attacker - Hello from URL Parameter! I got programming: true`, the installation ...
### Impact By creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execute any Groovy code in the XWiki installation which compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce, as a user without script nor programming rights, create a document with title `{{/html}}{{async}}{{groovy}}println("Hello from Groovy Title!"){{/groovy}}{{/async}}` and content `Test Document`. Using the search UI, search for `"Test Document"`, then deploy the `Location` facet on the right of the screen, next to the search results. The installation is vulnerable if you see an item such as: ``` Hello from Groovy Title! </a> <div class="itemCount">1</div> </li> </ul> {{/html}} ``` ### Patches This has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1. ### Workarounds Modify the `Main.SolrSpaceF...
### Impact In multilingual wikis, translations can be edited by any user who has edit right, circumventing the rights that are normally required for authoring translations (script right for user-scope translations, wiki admin for translations on the wiki). This can be exploited for remote code execution if the translation value is not properly escaped where it is used. To reproduce, in a multilingual wiki, as a user without script or admin right, edit a translation of `AppWithinMinutes.Translations` and in the line `platform.appwithinminutes.description=` add `{{async}}{{groovy}}println("Hello from Translation"){{/groovy}}{{/async}}` at the end. Then open the app with in minutes home page (`AppWithinMinutes.WebHome`) in the same locale. If translations are still working and "Hello from Translation" is displayed at the end of the introduction, the installation is vulnerable. ### Patches This has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. ### Workarounds We're not aware of ...
### Impact XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<hostname>/xwiki/bin/get/Main/DatabaseSearch?outputSyntax=plain&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello%20from%22%20%2B%20%22%20search%20text%3A%22%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If the title of the RSS channel contains `Hello from search text:42`, the instance is vulnerable. ### Patches This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. ### Workarounds It is possible to manually apply [this patch](https://github.com/xwiki/xwiki-platform/commit/95bdd6cc6298acdf7f8f21298d40eeb839...
### Impact Remote code execution is possible via PDF export templates. To reproduce on an installation, register a new user account with username `PDFClass` if `XWiki.PDFClass` does not exist. On `XWiki.PDFClass`, use the class editor to add a "style" property of type "TextArea" and content type "Plain Text". Then, add an object of class `PDFClass` and set the "style" attribute to `$services.logging.getLogger('PDFClass').error("I got programming: $services.security.authorization.hasAccess('programming')")`. Finally, go to `<host>/xwiki/bin/export/Main/WebHome?format=pdf&pdftemplate=XWiki.PDFClass`. If the logs contain "ERROR PDFClass - I got programming: true", the instance is vulnerable. ### Patches This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10-rc-1. ### Workarounds If PDF templates are not typically used on the instance, an administrator can create the document `XWiki.PDFClass` and block its edition, after making sure that it does not contain a `style` att...
### Impact Any user with edit right on any page can execute any code on the server by adding an object of type `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, as a user without script nor programming rights, add an object of type `XWiki.SearchSuggestSourceClass` to your profile page. On this object, set every possible property to `}}}{{async}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/async}}` (i.e., name, engine, service, query, limit and icon). Save and display the page, then append `?sheet=XWiki.SearchSuggestSourceSheet` to the URL. If any property displays as `Hello from Groovy!}}}`, then the instance is vulnerable. ### Patches This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1. ### Workarounds [This patch](https://github.com/xwiki/xwiki-platform/commit/6a7f19f6424036fce3d703413137adde950ae809#...