XWiki SQL Injection Vulnerability in Oracle Database

A SQL injection vulnerability has been identified in XWiki versions 1.0 and later, within the query endpoint of the REST API when used with Oracle Database. The issue arises because the XWiki query validator fails to properly sanitize functions that can be exploited in a simple 'select' statement. This oversight allows the execution of arbitrary SQL queries by leveraging native Oracle functions such as DBMS_XMLGEN or DBMS_XMLQUERY. The vulnerability is made possible by Hibernate's allowance of native functions in HQL queries.

Impact

Exploitation of this vulnerability allows for arbitrary SQL query execution in the Oracle database, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, send a request to the XWiki query endpoint of the REST API with an HQL query that includes a crafted 'select' statement. The query should utilize the DBMS_XMLGEN or DBMS_XMLQUERY functions to bypass the query validator's protections and execute arbitrary SQL on the Oracle database.

Remediation

Users can upgrade to XWiki versions 16.10.2, 16.4.7, or 15.10.16 to address this vulnerability.