XWiki Platform Configuration File Access Vulnerability via Path Traversal

A vulnerability in XWiki Platform allows configuration files to be accessed through jsx and sx endpoints. This issue affects versions 4.2-milestone-2 prior to 16.10.7. By exploiting this vulnerability, it is possible to read sensitive configuration files, including database credentials, using crafted URLs that traverse directories to access files within the application's WEB-INF directory. The vulnerability can be reproduced on Tomcat instances, including a Docker image of XWiki.

Impact

Exploitation of this vulnerability allows unauthorized access to sensitive configuration files, such as the XWiki configuration file (xwiki.cfg), which may contain unencrypted database credentials and other critical information.

Reproduction

The vulnerability can be reproduced by sending a request to the XWiki server's sx or jsx endpoint with a query parameter that includes a path traversal payload. The payload should navigate up the directory structure to access the WEB-INF directory and retrieve the xwiki.cfg file. This can be done using a URL such as 'http://localhost:8080/bin/jsx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false'.

Remediation

Users are advised to upgrade to XWiki Platform versions 16.10.7 or 17.4.0-rc-1. For those using Apache HTTPD as a reverse proxy, a temporary workaround is to add rewrite rules that block path traversal attempts in the query string.