The XWiki Platform, a powerful open-source wiki application, has been identified as vulnerable to improper neutralization of directives in dynamically evaluated code, also known as 'Eval Injection.' This vulnerability affects the AttachmentSelector.xml document and is marked by the Common Vulnerabilities and Exposures identifier, CVE-2022-41928.

This vulnerability allows an attacker to insert a malicious payload into the height or alt macro properties, leading to potential security breaches. The issue has been patched in the following XWiki Platform versions: 13.10.7, 14.4.2, and 14.5.

Updating XWiki.AttachmentSelector to the following versions addresses this security vulnerability

- 14.5-rc-1+: eb15147
- 14.4.2+: c02f8eb
- 13.10.7+: efddf

The following sections will discuss this vulnerability in more detail, including code snippets and exploitable scenarios.

Code Snippet

The vulnerability exists in the AttachmentSelector.xml document as an eval injection. Here's a snippet of the vulnerable code:

{{velocity}}
#macro(displayIcon $name $text $size $height $alt)
    ...
    <img src="$iconURL" width="$size" height="$height" alt="$alt" />
    ...
#end
{{/velocity}}

Exploit Details

An attacker can exploit this vulnerability by creating a malicious payload that utilizes the height or alt macro properties. For example:

{{velocity}}
...
#displayIcon('test' 'sample' '100' '$velutil.to(25).eval("&lt;script&gt;alert(1)&lt;/script&gt;")' 'test')
...
{{/velocity}}

This example payload will trigger an alert when the page is loaded. Additionally, the attacker can use this vulnerability to execute arbitrary scripts or actions on the XWiki Platform.

Fixing the vulnerability

To fix this issue, update your XWiki.AttachmentSelector to the appropriate patched version outlined at the beginning of the post.

Conclusion

The improper neutralization of directives in dynamically evaluated code, or 'Eval Injection,' is a serious vulnerability in the XWiki Platform. To ensure your wiki's security, it's critical to address this issue immediately. Update your XWiki.AttachmentSelector to one of the patched versions (13.10.7, 14.4.2, or 14.5) to protect your platform from potential security threats.

Timeline

Published on: 11/23/2022 19:15:00 UTC
Last modified on: 11/30/2022 16:38:00 UTC