XWiki Platform is an open-source, Java-based wiki platform that allows users to create and manage applications using a wiki document-based paradigm. It provides various scripting and rendering capabilities to web applications built on top of it. A security vulnerability, tracked as "CVE-2022-41935", was discovered in XWiki Platform that could lead to unauthorized document existence disclosure. The flaw exists due to improper handling of Livetable queries responses, allowing users without the right to view documents to deduce their existence by repeatedly sending Livetable queries.

Exploit Details

An attacker exploiting this vulnerability can send multiple Livetable requests with varying filter conditions, which can lead to information leaks about protected documents in certain cases. The responses of these requests are not cleaned up properly, allowing attackers to deduce the existence of obfuscated document entries.

Here's a sample code snippet to illustrate the issue

import com.xpn.xwiki.web.Utils;
import com.xpn.xwiki.web.XWikiRequest;
// ...
XWikiRequest request = Utils.getComponent(XWikiRequest.class);
String queryString = request.get("q");
int totalCount = documentSearchService.countDocuments(queryString, true);
List<Document> docs = documentSearchService.getDocuments(queryString, true, , totalCount);

for (int i = ; i < totalCount; i++) {
    Document doc = docs.get(i);
    if (getUser().hasAccess("view", doc)) {
        // Add the document to the response.
    } else {
        // Remove or obfuscate the document from the response.
        // The Vulnerability exists here as the response is not cleaned up properly
    }
}

Workaround

For affected XWiki versions 12.10.11, 13.9-rc-1, and 13.4.4, a patch is available for the document XWiki.LiveTableResultsMacros. This patch can be manually applied or a XAR archive containing the patched version can be imported. Unfortunately, there are no known workarounds for other affected versions of XWiki Platform.

Original References

- XWiki Security Advisory: CVE-2022-41935
- XWiki JIRA Issue: XWIKI-19346
- XWiki Patch (XAR): XWiki.LiveTableResultsMacros

Conclusion

Users of XWiki Platform should prioritize upgrading their instances to the patched versions (14.6RC1, 13.10.8, or 14.4.3) to mitigate the risk of document existence disclosure, which could reveal sensitive or protected information. For those affected on versions 12.10.11, 13.9-rc-1, and 13.4.4, consider manually updating the XWiki.LiveTableResultsMacros document or importing a XAR archive of the patched version as a workaround. Keeping software up-to-date and managing patches is a key practice in maintaining the security and stability of any web application running on the internet.

Timeline

Published on: 11/23/2022 20:15:00 UTC
Last modified on: 07/06/2023 13:37:00 UTC