[xwiki-users] Security check on RSS Aggregator Macro extension
One comment in the blog post[1] about the RSS Aggregator Macro[2] warns
against a serious security flaw: the extension is embedding in the page's
wiki markup strings it reads from the web (RSS feeds); if these strings
contain wiki code such as this:
titleLet's execute some groovy: {{groovy}}println
id.execute().getText(){{/groovy}}/title
then it would allow random code to be executed on the server.
I investigated the issue and my current understanding is that this
vulnerability has been addressed at XWiki itself, when nested scripts[3]
were disabled in v. 2.4M2[4].
Am I correct to assume this vulnerability has been closed and that it's
safe to run this extension?
[1]
http://www.velociter.fr/journal/XWiki-plus-groovy-is-love-the-10-lines-RSS-aggregator-macro
[2]
http://extensions.xwiki.org/xwiki/bin/view/Extension/RSS+Aggregator+Macro
[3]
http://extensions.xwiki.org/xwiki/bin/view/Extension/Script+Macro#HNestedscripts
[4]
http://www.xwiki.org/xwiki/bin/view/ReleaseNotes/ReleaseNotesXWikiEnterprise24M2#HScriptimprovements
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Security check on RSS Aggregator Macro extension
Hi Fernando,
Actually, I've fixed the issue just after reading xipe's comment back in
2009, by enclosing everything the macro outputs in {{{verbatim
markup}}}. See the update line at the top of the blog post.
This was even before XWiki prevented nested scripting by default. Could
you edit your comment on the macro's extension page since the security
issue has been addressed even before the macro was released ?
Thanks,
Jerome
On 11/20/2012 05:52 PM, Fernando Correia wrote:
One comment in the blog post[1] about the RSS Aggregator Macro[2] warns
against a serious security flaw: the extension is embedding in the page's
wiki markup strings it reads from the web (RSS feeds); if these strings
contain wiki code such as this:
titleLet's execute some groovy: {{groovy}}println
id.execute().getText(){{/groovy}}/title
then it would allow random code to be executed on the server.
I investigated the issue and my current understanding is that this
vulnerability has been addressed at XWiki itself, when nested scripts[3]
were disabled in v. 2.4M2[4].
Am I correct to assume this vulnerability has been closed and that it's
safe to run this extension?
[1]
http://www.velociter.fr/journal/XWiki-plus-groovy-is-love-the-10-lines-RSS-aggregator-macro
[2]
http://extensions.xwiki.org/xwiki/bin/view/Extension/RSS+Aggregator+Macro
[3]
http://extensions.xwiki.org/xwiki/bin/view/Extension/Script+Macro#HNestedscripts
[4]
http://www.xwiki.org/xwiki/bin/view/ReleaseNotes/ReleaseNotesXWikiEnterprise24M2#HScriptimprovements
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Security check on RSS Aggregator Macro extension
Hi Jerome, thanks for the quick answer!
My bad, I didn't notice the {{{ thing (so many symbols on that line...)
It's great to know that flaw has long been fixed. I've already updated my
comment and your extension is being very useful for us because we couldn't
make the built-in rss extension to work with an authenticated feed.
2012/11/20 Jerome Velociter jer...@velociter.fr
Hi Fernando,
Actually, I've fixed the issue just after reading xipe's comment back in
2009, by enclosing everything the macro outputs in {{{verbatim markup}}}.
See the update line at the top of the blog post.
This was even before XWiki prevented nested scripting by default. Could
you edit your comment on the macro's extension page since the security
issue has been addressed even before the macro was released ?
Thanks,
Jerome
On 11/20/2012 05:52 PM, Fernando Correia wrote:
One comment in the blog post[1] about the RSS Aggregator Macro[2] warns
against a serious security flaw: the extension is embedding in the page's
wiki markup strings it reads from the web (RSS feeds); if these strings
contain wiki code such as this:
titleLet's execute some groovy: {{groovy}}println
id.execute().getText(){{/**groovy}}/title
then it would allow random code to be executed on the server.
I investigated the issue and my current understanding is that this
vulnerability has been addressed at XWiki itself, when nested scripts[3]
were disabled in v. 2.4M2[4].
Am I correct to assume this vulnerability has been closed and that it's
safe to run this extension?
[1]
http://www.velociter.fr/**journal/XWiki-plus-groovy-is-**
love-the-10-lines-RSS-**aggregator-macrohttp://www.velociter.fr/journal/XWiki-plus-groovy-is-love-the-10-lines-RSS-aggregator-macro
[2]
http://extensions.xwiki.org/**xwiki/bin/view/Extension/RSS+**
Aggregator+Macrohttp://extensions.xwiki.org/xwiki/bin/view/Extension/RSS+Aggregator+Macro
[3]
http://extensions.xwiki.org/**xwiki/bin/view/Extension/**
Script+Macro#HNestedscriptshttp://extensions.xwiki.org/xwiki/bin/view/Extension/Script+Macro#HNestedscripts
[4]
http://www.xwiki.org/xwiki/**bin/view/ReleaseNotes/**
ReleaseNotesXWikiEnterprise24M**2#HScriptimprovementshttp://www.xwiki.org/xwiki/bin/view/ReleaseNotes/ReleaseNotesXWikiEnterprise24M2#HScriptimprovements
__**_
users mailing list
users@xwiki.org
http://lists.xwiki.org/**mailman/listinfo/usershttp://lists.xwiki.org/mailman/listinfo/users
__**_
users mailing list
users@xwiki.org
http://lists.xwiki.org/**mailman/listinfo/usershttp://lists.xwiki.org/mailman/listinfo/users
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
