Creating a secure Wiki is hard. The purpose of a wiki is to allow "random" users to edit web pages. A good Wiki provides users with great flexibility, but with great flexibility comes an even "greater" attack surface. File uploads and markup (or markdown) are all well-known security issues affecting various Wikis in the past.

Today's vulnerability is a bit different, and less a typical "Wiki" vulnerability. CVE-2024-3721 was patched April 13th last year. It addresses an interesting OS command injection vulnerability that is exploited via the XWiki search feature. A user usually does not need to log in to use the search. In some ways, this is one of the "less dangerous" features for a Wiki.

The exploit we are seeing now is pretty much identical to the PoC published back in April:

/xwiki/bin/get/Main/DatabaseSearch?outputSyntax=plain&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello%20from%22%20%2B%20%22%20search%20text%3A%22%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D

The "text" parameter decodes to:

}}}{{async async=false}}{
     {groovy}}println("Hello from" + " search text:" + (23 + 19)){{/groovy}}
{{/async}

X-Wiki is written in Java and uses Groovy. Groovy allows for "rendering transformations". Output may include code like shown in the exploit, and before it is sent to the user as an HTTP response, it may get evaluated as code. This allows for more flexible "templates" to be created. The fix was to send the output directly to the user, bypassing the rendering transformation.

The exploit above confirms the vulnerability by returning the text "Hello from search text: 42" if the page was vulnerable. 

We saw the first exploit attempt for the vulnerability on June 26th, but it was a single attempt, not crossing our detection threshold. Since then, we only had a handful of exploit attempts, but a few recognizance scans just hit the vulnerable endpoint without sending an actual exploit.

Vulnerability Details: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2858-8cfx-69m9

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|