XWiki Admin Tools Application up to 4.5.0 attacked cross-site request forgery

Summaryinfo

A vulnerability classified as problematic has been found in XWiki Admin Tools Application up to 4.5.0. Affected by this vulnerability is an unknown functionality of the file /xwiki/bin/view/Admin/RunShellCommand?command=touch%20/tmp/attacked. This manipulation causes cross-site request forgery. The identification of this vulnerability is CVE-2023-48292. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability has been found in XWiki Admin Tools Application up to 4.5.0 (Content Management System) and classified as problematic. Affected by this vulnerability is some unknown processing of the file /xwiki/bin/view/Admin/RunShellCommand?command=touch%20/tmp/attacked. The manipulation with an unknown input leads to a cross-site request forgery vulnerability. The CWE definition for the vulnerability is CWE-352. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. As an impact it is known to affect integrity. The summary by CVE is:

The XWiki Admin Tools Application provides tools to help the administration of XWiki. Starting in version 4.4 and prior to version 4.5.1, a cross site request forgery vulnerability in the admin tool for executing shell commands on the server allows an attacker to execute arbitrary shell commands by tricking an admin into loading the URL with the shell command. A very simple possibility for an attack are comments. When the attacker can leave a comment on any page in the wiki it is sufficient to include an image with an URL like `/xwiki/bin/view/Admin/RunShellCommand?command=touch%20/tmp/attacked` in the comment. When an admin views the comment, the file `/tmp/attacked` will be created on the server. The output of the command is also vulnerable to XWiki syntax injection which offers a simple way to execute Groovy in the context of the XWiki installation and thus an even easier way to compromise the integrity and confidentiality of the whole XWiki installation. This has been patched by adding a form token check in version 4.5.1 of the admin tools. Some workarounds are available. The patch can be applied manually to the affected wiki pages. Alternatively, the document `Admin.RunShellCommand` can also be deleted if the possibility to run shell commands isn't needed.

The weakness was shared 11/20/2023 as GHSA-8jpr-ff92-hpf9. It is possible to read the advisory at github.com. This vulnerability is known as CVE-2023-48292 since 11/14/2023. It demands that the victim is doing some kind of user interaction. Technical details and also a public exploit are known.

It is possible to download the exploit at exploit-db.com. It is declared as proof-of-concept.

Upgrading to version 4.5.1 eliminates this vulnerability. Applying the patch 03815c505c9f37006a0c56495e862dc549a39da8 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Exploit-DB (52105). Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Content Management System

Vendor

• XWiki

Name

• Admin Tools Application

Version

• 4.0
• 4.1
• 4.2
• 4.3
• 4.4
• 4.5.0

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion