XWiki Platform WebJars API Path Traversal Vulnerability Allowing Configuration File Access

A path traversal vulnerability has been identified in XWiki Platform versions 6.1-milestone-2 through 16.10.6. The issue arises within the WebJars API, where it is possible to access and read sensitive configuration files, such as 'xwiki.cfg', by exploiting the URL parsing behavior of the server. This vulnerability takes advantage of encoded path traversal sequences to navigate out of the intended directory structure and retrieve files that should not be publicly accessible.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive configuration files, which may contain critical information such as passwords.

Reproduction

The vulnerability can be reproduced by sending a request to the WebJars endpoint with a URL that includes encoded path traversal sequences. For example, the URL can be crafted to navigate up the directory structure and access the 'xwiki.cfg' file located in the 'WEB-INF' directory. This can be done by encoding the '/' character to bypass normal URL parsing restrictions, effectively tricking the server into allowing access to restricted files.

Remediation

Users can upgrade to XWiki Platform versions 17.4.0-rc-1 or 16.10.7 to address this vulnerability.