[xwiki-users] Security check on RSS Aggregator Macro extension
One comment in the blog post[1] about the RSS Aggregator Macro[2] warns against a serious security flaw: the extension is embedding in the page's wiki markup strings it reads from the web (RSS feeds); if these strings contain wiki code such as this: titleLet's execute some groovy: {{groovy}}println id.execute().getText(){{/groovy}}/title then it would allow random code to be executed on the server. I investigated the issue and my current understanding is that this vulnerability has been addressed at XWiki itself, when nested scripts[3] were disabled in v. 2.4M2[4]. Am I correct to assume this vulnerability has been closed and that it's safe to run this extension? [1] http://www.velociter.fr/journal/XWiki-plus-groovy-is-love-the-10-lines-RSS-aggregator-macro [2] http://extensions.xwiki.org/xwiki/bin/view/Extension/RSS+Aggregator+Macro [3] http://extensions.xwiki.org/xwiki/bin/view/Extension/Script+Macro#HNestedscripts [4] http://www.xwiki.org/xwiki/bin/view/ReleaseNotes/ReleaseNotesXWikiEnterprise24M2#HScriptimprovements ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Security check on RSS Aggregator Macro extension
Hi Fernando, Actually, I've fixed the issue just after reading xipe's comment back in 2009, by enclosing everything the macro outputs in {{{verbatim markup}}}. See the update line at the top of the blog post. This was even before XWiki prevented nested scripting by default. Could you edit your comment on the macro's extension page since the security issue has been addressed even before the macro was released ? Thanks, Jerome On 11/20/2012 05:52 PM, Fernando Correia wrote: One comment in the blog post[1] about the RSS Aggregator Macro[2] warns against a serious security flaw: the extension is embedding in the page's wiki markup strings it reads from the web (RSS feeds); if these strings contain wiki code such as this: titleLet's execute some groovy: {{groovy}}println id.execute().getText(){{/groovy}}/title then it would allow random code to be executed on the server. I investigated the issue and my current understanding is that this vulnerability has been addressed at XWiki itself, when nested scripts[3] were disabled in v. 2.4M2[4]. Am I correct to assume this vulnerability has been closed and that it's safe to run this extension? [1] http://www.velociter.fr/journal/XWiki-plus-groovy-is-love-the-10-lines-RSS-aggregator-macro [2] http://extensions.xwiki.org/xwiki/bin/view/Extension/RSS+Aggregator+Macro [3] http://extensions.xwiki.org/xwiki/bin/view/Extension/Script+Macro#HNestedscripts [4] http://www.xwiki.org/xwiki/bin/view/ReleaseNotes/ReleaseNotesXWikiEnterprise24M2#HScriptimprovements ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Security check on RSS Aggregator Macro extension
Hi Jerome, thanks for the quick answer! My bad, I didn't notice the {{{ thing (so many symbols on that line...) It's great to know that flaw has long been fixed. I've already updated my comment and your extension is being very useful for us because we couldn't make the built-in rss extension to work with an authenticated feed. 2012/11/20 Jerome Velociter jer...@velociter.fr Hi Fernando, Actually, I've fixed the issue just after reading xipe's comment back in 2009, by enclosing everything the macro outputs in {{{verbatim markup}}}. See the update line at the top of the blog post. This was even before XWiki prevented nested scripting by default. Could you edit your comment on the macro's extension page since the security issue has been addressed even before the macro was released ? Thanks, Jerome On 11/20/2012 05:52 PM, Fernando Correia wrote: One comment in the blog post[1] about the RSS Aggregator Macro[2] warns against a serious security flaw: the extension is embedding in the page's wiki markup strings it reads from the web (RSS feeds); if these strings contain wiki code such as this: titleLet's execute some groovy: {{groovy}}println id.execute().getText(){{/**groovy}}/title then it would allow random code to be executed on the server. I investigated the issue and my current understanding is that this vulnerability has been addressed at XWiki itself, when nested scripts[3] were disabled in v. 2.4M2[4]. Am I correct to assume this vulnerability has been closed and that it's safe to run this extension? [1] http://www.velociter.fr/**journal/XWiki-plus-groovy-is-** love-the-10-lines-RSS-**aggregator-macrohttp://www.velociter.fr/journal/XWiki-plus-groovy-is-love-the-10-lines-RSS-aggregator-macro [2] http://extensions.xwiki.org/**xwiki/bin/view/Extension/RSS+** Aggregator+Macrohttp://extensions.xwiki.org/xwiki/bin/view/Extension/RSS+Aggregator+Macro [3] http://extensions.xwiki.org/**xwiki/bin/view/Extension/** Script+Macro#HNestedscriptshttp://extensions.xwiki.org/xwiki/bin/view/Extension/Script+Macro#HNestedscripts [4] http://www.xwiki.org/xwiki/**bin/view/ReleaseNotes/** ReleaseNotesXWikiEnterprise24M**2#HScriptimprovementshttp://www.xwiki.org/xwiki/bin/view/ReleaseNotes/ReleaseNotesXWikiEnterprise24M2#HScriptimprovements __**_ users mailing list users@xwiki.org http://lists.xwiki.org/**mailman/listinfo/usershttp://lists.xwiki.org/mailman/listinfo/users __**_ users mailing list users@xwiki.org http://lists.xwiki.org/**mailman/listinfo/usershttp://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users