Impact
Remote code execution is possible via PDF export templates.
To reproduce on an installation, register a new user account with username PDFClass if XWiki.PDFClass does not exist.
On XWiki.PDFClass, use the class editor to add a "style" property of type "TextArea" and content type "Plain Text".
Then, add an object of class PDFClass and set the "style" attribute to $services.logging.getLogger('PDFClass').error("I got programming: $services.security.authorization.hasAccess('programming')").
Finally, go to <host>/xwiki/bin/export/Main/WebHome?format=pdf&pdftemplate=XWiki.PDFClass. If the logs contain "ERROR PDFClass - I got programming: true", the instance is vulnerable.
Patches
This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10-rc-1.
Workarounds
If PDF templates are not typically used on the instance, an administrator can create the document XWiki.PDFClass and block its edition, after making sure that it does not contain a style attribute.
Otherwise, the instance needs to be updated.
References
Impact
Remote code execution is possible via PDF export templates.
To reproduce on an installation, register a new user account with username
PDFClassifXWiki.PDFClassdoes not exist.On
XWiki.PDFClass, use the class editor to add a "style" property of type "TextArea" and content type "Plain Text".Then, add an object of class
PDFClassand set the "style" attribute to$services.logging.getLogger('PDFClass').error("I got programming: $services.security.authorization.hasAccess('programming')").Finally, go to
<host>/xwiki/bin/export/Main/WebHome?format=pdf&pdftemplate=XWiki.PDFClass. If the logs contain "ERROR PDFClass - I got programming: true", the instance is vulnerable.Patches
This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10-rc-1.
Workarounds
If PDF templates are not typically used on the instance, an administrator can create the document
XWiki.PDFClassand block its edition, after making sure that it does not contain astyleattribute.Otherwise, the instance needs to be updated.
References