XWiki RCE Vulnerability
SonicWall Capture Labs Threat Research Team has observed the following threat:
XWiki is recognized as a second-generation wiki platform, bringing together the conventional wiki functionality and the unique potential of an application development platform. It showcases a broad array of features typical of a wiki, such as advanced access rights and effective user management. Additionally, XWiki's defining trait lies in its capacity to allow the creation of new applications, which can be developed directly on top of the platform.
Recently, a significant issue has emerged pertaining to XWiki, specifically a reported vulnerability that allows remote code execution. This vulnerability stems from improper handling of documentTree macro parameters within the system. The improper escaping of these parameters creates a security gap, making the platform susceptible to external threats.
The security flaw opens up an opportunity for remote attackers to exploit this vulnerability. They can do so by sending specially crafted requests to the target server, where XWiki is being hosted. Should the attack be successful, the exploiter would gain the ability to execute code remotely.
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-29509.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).
Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is unchanged.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 8.8 (E:P/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is proof of concept.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.
XWiki boasts a powerful scripting feature set, allowing users to create everything from simple to intricate web applications on an XWiki page (or view) layer. There is no need for users to compile code or deploy software components - instead, they can utilize scripting syntax alongside wiki markup directly within the content of an XWiki page.
The platform supports a range of scripting languages, including Velocity, Groovy, and Python, all of which are enabled by default. XWiki incorporates the JSR-223 scripting platform, which facilitates the evaluation of script code. Additionally, XWiki utilizes a script macro that assesses script code and is structured as follows:
To declare script code for default enabled languages, users can directly use the language name:
The standard XWiki flavor includes the "Flamingo Theme Application" extension. This allows users to customize site skins, and the extension has a macro "FlamingoThemesCode.WebHome". This macro lists the sub-documents of any given document. When a page request is made with the GET parameter sheet set to "FlamingoThemesCode.WebHome", the same macro is used to render the page. The parameter document:$doc.documentReference is set to the current page, and this value is passed to the documentTree macro, which in turn lists the sub-documents of the present page.
Triggering the Problem:
• The target system must have the vulnerable product installed and running.
• The target user must have network connectivity to the affected ports.
The attacker requests a malicious page using the FlamingoThemesCode.WebHome view. The vulnerability is triggered when the server processes the requests.
The following application protocols can be used to deliver an attack that exploits this vulnerability:
SonicWall's, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS: 2062 XWiki Commons documentTree Remote Code Execution 1
• IPS: 18914 XWiki Commons documentTree Remote Code Execution 2
The risks posed by this vulnerability can be mitigated or eliminated by:
• Updating to a non-vulnerable version of the product.
• Filtering attack traffic using the signatures above.
The vendor has released the following advisory regarding this vulnerability: