Impact
The PDF Viewer macro allows an attacker to view any attachment using the "Delegate my view right" feature as long as the attacker can view a page whose last author has access to the attachment.
For this, the attacker only needs to provide the reference to a PDF file to the macro. To obtain the reference of the desired attachment, the attacker can access the Page Index, Attachments tab. Even if the UI shows N/A, the user can inspect the page and check the HTTP request that fetches the live data entries. The attachment URL is available in the returned JSON for all attachments, including protected ones and allows getting the necessary values.
To reproduce, create a page "Secret Page" with an attachment "secret-attachment.pdf" as admin and restrict view access to admins. As a simple user who doesn't have access to "Secret Page", then edit any page you can edit that has been edited by a user with access to the secret attachment before. For example, any of the Sandbox pages should fulfill these conditions by default. Insert the "PDF Viewer" macro, set the file to "Secret [email protected]" and set "Delegate my view right" to 1:
Submit the macro editing dialog but don't save the document. The PDF document should be displayed in the editor if the instance is vulnerable.
This attack can also be carried out without edit right using the HTMLConverter used by the WYSIWYG editor. To reproduce, open any page that has been last edited by a user with access to the attachment and execute the following JavaScript snippet in the browser's console, replacing the attachment reference in the last line as desired:
(function (text) {
const url = new URL(document.location);
url.searchParams.append('sheet', 'CKEditor.HTMLConverter');
url.searchParams.append('formToken', document.documentElement.dataset.xwikiFormToken);
url.searchParams.append('toHTML', 'true');
url.searchParams.append('text', text);
document.location = url;
})('{{pdfviewer file="Secret [email protected]" asAuthor="1"/}}');When supplying an attachment reference that is not a PDF file, there will be an error displaying the file, but it is still possible to use the URL from the browser's developer tools to manually download the attachment content.
Patches
Fixed in version 2.5.6
Workarounds
As a workaround, the document XWiki.PDFViewerService can be deleted as "superadmin", thereby removing the possibility to delegate the view right.
Impact
The PDF Viewer macro allows an attacker to view any attachment using the "Delegate my view right" feature as long as the attacker can view a page whose last author has access to the attachment.
For this, the attacker only needs to provide the reference to a PDF file to the macro. To obtain the reference of the desired attachment, the attacker can access the Page Index, Attachments tab. Even if the UI shows N/A, the user can inspect the page and check the HTTP request that fetches the live data entries. The attachment URL is available in the returned JSON for all attachments, including protected ones and allows getting the necessary values.
To reproduce, create a page "Secret Page" with an attachment "secret-attachment.pdf" as admin and restrict view access to admins. As a simple user who doesn't have access to "Secret Page", then edit any page you can edit that has been edited by a user with access to the secret attachment before. For example, any of the Sandbox pages should fulfill these conditions by default. Insert the "PDF Viewer" macro, set the file to "Secret [email protected]" and set "Delegate my view right" to 1:
Submit the macro editing dialog but don't save the document. The PDF document should be displayed in the editor if the instance is vulnerable.
This attack can also be carried out without edit right using the HTMLConverter used by the WYSIWYG editor. To reproduce, open any page that has been last edited by a user with access to the attachment and execute the following JavaScript snippet in the browser's console, replacing the attachment reference in the last line as desired:
When supplying an attachment reference that is not a PDF file, there will be an error displaying the file, but it is still possible to use the URL from the browser's developer tools to manually download the attachment content.
Patches
Fixed in version 2.5.6
Workarounds
As a workaround, the document
XWiki.PDFViewerServicecan be deleted as "superadmin", thereby removing the possibility to delegate the view right.