20 Nov
2012
20 Nov
'12
5:52 p.m.
One comment in the blog post[1] about the RSS Aggregator Macro[2] warns
against a serious security flaw: the extension is embedding in the page's
wiki markup strings it reads from the web (RSS feeds); if these strings
contain wiki code such as this:
<title>Let's execute some groovy: {{groovy}}println
"id".execute().getText(){{/groovy}}</title>
then it would allow random code to be executed on the server.
I investigated the issue and my current understanding is that this
vulnerability has been addressed at XWiki itself, when nested scripts[3]
were disabled in v. 2.4M2[4].
Am I correct to assume this vulnerability has been closed and that it's
safe to run this extension?
[1]
http://www.velociter.fr/journal/XWiki-plus-groovy-is-love-the-10-lines-RSS-…
[2]
http://extensions.xwiki.org/xwiki/bin/view/Extension/RSS+Aggregator+Macro
[3]
http://extensions.xwiki.org/xwiki/bin/view/Extension/Script+Macro#HNestedsc…
[4]
http://www.xwiki.org/xwiki/bin/view/ReleaseNotes/ReleaseNotesXWikiEnterpris…
20 Nov
20 Nov
5:58 p.m.
Hi Fernando,
Actually, I've fixed the issue just after reading xipe's comment back in
2009, by enclosing everything the macro outputs in {{{verbatim
markup}}}. See the update line at the top of the blog post.
This was even before XWiki prevented nested scripting by default. Could
you edit your comment on the macro's extension page since the security
issue has been addressed even before the macro was released ?
Thanks,
Jerome
On 11/20/2012 05:52 PM, Fernando Correia wrote:
One comment in the blog post[1] about the RSS
Aggregator Macro[2] warns
against a serious security flaw: the extension is embedding in the page's
wiki markup strings it reads from the web (RSS feeds); if these strings
contain wiki code such as this:
<title>Let's execute some groovy: {{groovy}}println
"id".execute().getText(){{/groovy}}</title>
then it would allow random code to be executed on the server.
I investigated the issue and my current understanding is that this
vulnerability has been addressed at XWiki itself, when nested scripts[3]
were disabled in v. 2.4M2[4].
Am I correct to assume this vulnerability has been closed and that it's
safe to run this extension?
[1]
http://www.velociter.fr/journal/XWiki-plus-groovy-is-love-the-10-lines-RSS-…
[2]
http://extensions.xwiki.org/xwiki/bin/view/Extension/RSS+Aggregator+Macro
[3]
http://extensions.xwiki.org/xwiki/bin/view/Extension/Script+Macro#HNestedsc…
[4]
http://www.xwiki.org/xwiki/bin/view/ReleaseNotes/ReleaseNotesXWikiEnterpris…
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
6:19 p.m.
Hi Jerome, thanks for the quick answer!
My bad, I didn't notice the {{{ thing (so many symbols on that line...)
It's great to know that flaw has long been fixed. I've already updated my
comment and your extension is being very useful for us because we couldn't
make the built-in "rss" extension to work with an authenticated feed.
2012/11/20 Jerome Velociter <jerome(a)velociter.fr>
Hi Fernando,
Actually, I've fixed the issue just after reading xipe's comment back in
2009, by enclosing everything the macro outputs in {{{verbatim markup}}}.
See the update line at the top of the blog post.
This was even before XWiki prevented nested scripting by default. Could
you edit your comment on the macro's extension page since the security
issue has been addressed even before the macro was released ?
Thanks,
Jerome
On 11/20/2012 05:52 PM, Fernando Correia wrote:
One comment in the blog post[1] about the RSS
Aggregator Macro[2] warns
against a serious security flaw: the extension is embedding in the page's
wiki markup strings it reads from the web (RSS feeds); if these strings
contain wiki code such as this:
<title>Let's execute some groovy: {{groovy}}println
"id".execute().getText(){{/**groovy}}</title>
then it would allow random code to be executed on the server.
I investigated the issue and my current understanding is that this
vulnerability has been addressed at XWiki itself, when nested scripts[3]
were disabled in v. 2.4M2[4].
Am I correct to assume this vulnerability has been closed and that it's
safe to run this extension?
[1]
http://www.velociter.fr/**journal/XWiki-plus-groovy-is-**
love-the-10-lines-RSS-**aggregator-macro<http://www.velociter.fr/journal/XWiki-plus-groovy-is-love-the-10-lines-RSS-aggregator-macro>
[2]
http://extensions.xwiki.org/**xwiki/bin/view/Extension/RSS+**
Aggregator+Macro<http://extensions.xwiki.org/xwiki/bin/view/Extension/RS…
[3]
http://extensions.xwiki.org/**xwiki/bin/view/Extension/**
Script+Macro#HNestedscripts<http://extensions.xwiki.org/xwiki/bin/view/E…
[4]
http://www.xwiki.org/xwiki/**bin/view/ReleaseNotes/**
ReleaseNotesXWikiEnterprise24M**2#HScriptimprovements<http://www.xwiki.o…
______________________________**_________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/**mailman/listinfo/users<http://lists.xwiki.org/m…
______________________________**_________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/**mailman/listinfo/users<http://lists.xwiki.org/m…
4415
days inactive
4415
days old
2 comments
2 participants
participants (2)
-
Fernando Correia -
Jerome Velociter