*SUBMISSION REFERENCES* * *Submission code*: XWIKI-WS464GRV * *Submission URL*: https://www.intigriti.com/auth/dashboard?redirect=/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-WS464GRV
*RESEARCHER INFORMATION* * *Submitter*: floerer
*SUBMISSION INFORMATION* * *Created at*: Fri, 04 Nov 2022 11:02:35 GMT * *Submission status*: Accepted Archived
*REPORT CONTENT* * *Severity*: High (8.6) * *Domain*: https://intigriti.xwiki.com/ (Url) * *Proof of concept*: I found a way to perform a SSRF and retrieve sensitive data from the server. As of now I did limited testing but was able to retrieve the `nginx.conf` so for sure more is possible and I will test it out.
**Steps to reproduce** 1. Login with your account on https://intigriti.xwiki.com 2. Now go to your porfile (clicking on your profile picture in the top right corner) and then on this page select `My dashboard` 3. Click on `add gadget` 4. Type `document` and select the `Office document viewer` 5. Now as reference enter: `url:file:///etc/nginx/nginx.conf` 6. Click `submit` and the contents of the file will be loaded on your dashboard as you can see.
I will test more things to show bigger impact * *Impact*: Retrieve sensitive data and files from the server with a SSRF * *Personal data involved*: No * *Endpoint*: https://intigriti.xwiki.com/xwiki/bin/save/XWiki/<username> * *Type*: Server-Side Request Forgery * *Attachments*: No attachments available
|
|