XWiki getdeleteddocuments.vm漏洞CVE-2025-32429
XWiki Platform 是一款企业级应用通用 Wiki 平台,为在其上构建的应用程序提供运行时服务,提供文字协作功能,集成强大的运行时服务。
一、基本情况
XWiki Platform 提供丰富扩展性选项,满足各种定制需求,通过内嵌的 Velocity 和 Groovy 脚本以及宏功能,用户可以用几行代码调用 API。
XWiki Platform 拥有海量社区插件可供选择,一键安装即可快速上手,REST API 的支持使得前后端完全分离,实现与第三方系统无缝对接。
栋科技漏洞库关注到 XWiki 通用平台中的XWiki getdeleteddocuments.vm SQL注入漏洞,漏洞被追踪为CVE-2025-32429,CVSS评分9.3。
二、漏洞分析
CVE-2025-32429位于通用的XWiki平台多个影响版本中,漏洞使得任何人都可以使用getdeleteddocuments.vm的参数排序来注入SQL语句。
CVE-2025-32429漏洞主要影响XWiki平台版本9.4-rc-1至16.10.5和版本17.0.0-rc-1至版本17.2.2,该语句可被直接注入作为ORDER BY值。
攻击者利用该漏洞,通过getdeleteddocuments.vm的sort参数注入SQL语句操纵数据库查询,导致数据泄露、数据篡改或拒绝服务等后果。
具体而言,任何人都可以利用如下链接,看到注入结果:
http://127.0.0.1:8080/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=injected
该示例不起作用,但它显示了使用传递的值执行HQL查询,该值看起来不像order by value,没有任何类型的清理。
漏洞代码如下:
1、xwiki-platform-core/xwiki-platform-oldcore/src/main/java/org/xwiki/query/hql/internal/DefaultHQLStatementValidator.java
@@ -117,7 +117,7 @@ public void checkOrderBySafe(List<String> allowedPrefixes, String orderByValue)
}
if (!valid) {
throw new QueryException("Usafe ORDER BY value [" + orderByValue + "].", null);
throw new QueryException("Unsafe ORDER BY value [" + orderByValue + "].", null);
}
}
}
2、xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/getdeleteddocuments.vm
@@ -49,7 +49,6 @@ $response.setContentType("application/json")
#set ($order = "$!request.sort")
#set ($orderQueryPart = '')
#if ($order != '')
#set($discard = $services.query.hql.checkOrderBySafe(['ddoc.'], $order))
#set ($orderDirection = "$!{request.get('dir').toLowerCase()}")
#if ("$!orderDirection" != '' && "$!orderDirection" != 'asc')
#set($orderDirection = 'desc')
@@ -59,6 +58,7 @@ $response.setContentType("application/json")
## So we filter on the document full name instead, which is the expected behavior.
#set ($order = 'ddoc.fullName')
#end
#set($discard = $services.query.hql.checkOrderBySafe(['ddoc.'], $order))
## Weird things happen if we use "ORDER BY" (upper case), at least on HSQLDB. Other DBs may behave differently
#set ($orderQueryPart = "order by ${order} ${orderDirection}")
#end3、xwiki-platform-core/xwiki-platform-oldcore/src/main/java/org/xwiki/query/hql/internal/DefaultHQLStatementValidator.java
}
if (!valid) {
throw new QueryException("Usafe ORDER BY value [" + orderByValue + "].", null);
throw new QueryException("Unsafe ORDER BY value [" + orderByValue + "].", null);
}
}
}4、xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/getdeleteddocuments.vm
@@ -49,7 +49,6 @@ $response.setContentType("application/json")
#set ($order = "$!request.sort")
#set ($orderQueryPart = '')
#if ($order != '')
#set($discard = $services.query.hql.checkOrderBySafe(['ddoc.'], $order))
#set ($orderDirection = "$!{request.get('dir').toLowerCase()}")
#if ("$!orderDirection" != '' && "$!orderDirection" != 'asc')
#set($orderDirection = 'desc')
@@ -59,6 +58,7 @@ $response.setContentType("application/json")
## So we filter on the document full name instead, which is the expected behavior.
#set ($order = 'ddoc.fullName')
#end
#set($discard = $services.query.hql.checkOrderBySafe(['ddoc.'], $order))
## Weird things happen if we use "ORDER BY" (upper case), at least on HSQLDB. Other DBs may behave differently
#set ($orderQueryPart = "order by ${order} ${orderDirection}")
#end三、影响范围
9.4-rc-1 <= XWiki < 16.10.6
17.0.0-rc-1 <= XWiki < 17.3.0-rc-1
四、修复建议
XWiki >= 16.10.6
XWiki >= 17.3.0-rc-1
五、参考链接
管理员已设置登录后刷新可查看