A recently discovered vulnerability, CVE-2023-29204, has been found in XWiki Commons. XWiki Commons are widely adopted technical libraries that serve as the foundation for many top-level XWiki projects. The vulnerability allows malicious actors to bypass the security measures that have been put in place to prevent open redirect attacks. The XWiki development team has addressed the issue with bug fixes in the latest releases, XWiki 13.10.10, 14.4.4 and 14.8RC1.

Exploit Details

Open redirects are a security issue that allows attackers to redirect users from a legitimate website to a malicious one without their knowledge, potentially exposing users to phishing or malware attacks.

The exploit is performed by using a redirect URL such as //mydomain.com, which omits the http: protocol, or by utilizing a URL like http:/mydomain.com. By bypassing the security measures put in place to avoid open redirects, attackers can then trick users into visiting malicious sites.

Before the patch, the following URL would be considered a safe redirect

http://www.example.com/xwiki/login?xredirect=//mydomain.com

The existing code in the XWiki Commons library that is responsible for managing redirects is vulnerable to this bypass:

public boolean isSafe(String redirectUrl) {
    URI uri = new URI(redirectUrl);

    if (uri.isAbsolute()) {
        if (uri.getHost() != null && !uri.getHost().equals(currentDomain)) {
            return false;
        }
    } else if (redirectUrl.startsWith("//")) {
        return false;
    }

    return true;
}

The code above shows that the library checks whether the URL contains a host that differs from the current domain, but it does not consider the case where the URL begins with the double-slash //.

For more information regarding this vulnerability, please refer to the following sources

1. XWiki Commons library's official documentation: https://www.xwiki.org/xwiki/bin/view/Documentation/
2. The official XWiki Security Advisory: https://www.xwiki.org/xwiki/bin/view/Main/Advisories/
3. CVE-2023-29204 entry in the CVE (Common Vulnerabilities and Exposures) list: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29204

Patch and Update Recommendations

To protect your applications and projects using XWiki Commons from this vulnerability, it is highly recommended that you upgrade to one of the following patched versions:

XWiki 14.8RC1

For instructions on how to upgrade and apply the patch, please refer to the XWiki Installation Guide: https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Installation/

Conclusion

The CVE-2023-29204 vulnerability within XWiki Commons exposes users to potential security risks due to the ability to bypass security measures for open redirects. It is essential for developers to update their XWiki projects to the latest patched versions to maintain secure and reliable applications. Ensuring that your software is up to date helps to protect users from harmful attacks and promotes trust in your project's security.

Timeline

Published on: 04/15/2023 16:15:00 UTC
Last modified on: 04/26/2023 18:30:00 UTC