CVE-2022-41935

### Impact User without the right to view documents can deduce their existence by repeated Livetable queries. #### Reproduction steps 1. Restrict "view" access to `Sandbox.TestPage3` by setting an explicit view right for admins 1. As a user who is not an admin, open `<server>/bin/get/XWiki/LiveTableResults?outputSyntax=plain&classname=&collist=doc.title%2Cdoc.location%2Cdoc.content&doc.title=Sandbo&doc.location=Sandbox.TestPage3&doc.content=dummy&limit=0` where `<server>` is the URL of your XWiki installation. #### Expect Result: No results are displayed as the user doesn't have view rights on Sandbox.TestPage3. ##### Actual Result: The result ```json { "reqNo": null, "matchingtags": {}, "tags": [], "totalrows": 1, "returnedrows": 0, "offset": 1, "rows": [ { "doc_viewable": false, "doc_fullName": "obfuscated" } ] } ``` is displayed. This reveals that a document `Sandbox.TestPage3` exists (we explicitly searched for this name) which has a title containing `"Sandbo"` and a content containing `"dummy"`. By starting with a single letter and then iteratively extending the match, the full content of the title/content or XObject properties can be discovered. Several tests can be combined in a single request to use binary search to narrow down the actual match from a list of possible characters/words. If the used alphabet is known and smaller than 128 distinct characters, it is possible to discover one character with 7 requests. Alternatively, frequencies of words and word pairs (2-gram frequencies) can be used to first guess whole words and only resort to guessing individual characters if none of the predicted words match, allowing a much faster recovery of the textual content. As it also depends on the content how easy the attack is and how much recovered content would be a "successful" attack, it is hard to quantify how many requests are necessary. ### Patches The issue has been patched in XWiki 14.6RC1, 13.10.8, and 14.4.3, the response is not properly cleaned up of obfuscated entries. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/1450b6e3c69ac7df25e5a2571186d1f43402facd#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a) for the document `XWiki.LiveTableResultsMacros` can be manually applied or a XAR archive of a patched version can be [imported](https://www.xwiki.org/xwiki/bin/view/Documentation/UserGuide/Features/Imports#HImportingXWikipages), on versions >= 12.10.11, >= 13.9-rc-1, and >= 13.4.4. ### References - https://github.com/xwiki/xwiki-platform/commit/1450b6e3c69ac7df25e5a2571186d1f43402facd#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a - https://jira.xwiki.org/browse/XWIKI-19999 ### For more information If you have any questions or comments about this advisory: - Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) - Email us at [Security Mailing List](mailto:[email protected])