Missing Authorization Affecting org.xwiki.platform:xwiki-platform-oldcore package, versions [3.0.1,14.10.20) [15.0-rc-1,15.5.4) [15.6-rc-1,15.10-rc-1)

org.xwiki.platform:xwiki-platform-oldcore is a generic wiki platform offering runtime services for applications built on top of it.

Affected versions of this package are vulnerable to Missing Authorization due to the improper handling of user registration and PDF export templates. An attacker can execute arbitrary code by registering a new user account with a specific username and manipulating PDF export templates through crafted style attributes.

An attacker can exploit this vulnerability if XWiki.PDFClass does not exist by adding an object of class PDFClass with a malicious style attribute.

This vulnerability can be mitigated by creating the document XWiki.PDFClass and blocking its edition after ensuring it does not contain a style attribute. Otherwise, the instance needs to be updated.

1. Register a new user account with username PDFClass.

2. Switch your user account to advanced.

3. Use the class editor on the user profile and create a new "TextArea" property with name "style". Set the content type to "Plain Text".

4. Use the object editor on the user profile and add a new object of PDFClass. Set the "style" attribute to $services.logging.getLogger('PDFClass').error("I got programming: $services.security.authorization.hasAccess('programming')").

5. Open <xwiki-server>/xwiki/bin/export/Main/WebHome?format=pdf&pdfcover=1&pdfcover=0&pdftoc=1&pdftoc=0&pdfheader=1&pdfheader=0&pdffooter=1&pdffooter=0&comments=0&attachments=0&pdftemplate=XWiki.PDFClass where is the URL of your XWiki installation.

• GitHub Commit
• GitHub Commit
• GitHub Commit
• XWiki Jira