Moderate severityNVD Advisory· Published Apr 15, 2023· Updated Feb 6, 2025
URL Redirection to Untrusted Site ('Open Redirect') in org.xwiki.platform:xwiki-platform-oldcore
CVE-2023-29204
Description
XWiki Commons are technical libraries common to several other top level XWiki projects. It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as //mydomain.com (i.e. omitting the http:). It was also possible to bypass it when using URL such as http:/mydomain.com. The problem has been patched on XWiki 13.10.10, 14.4.4 and 14.8RC1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 6.0-rc-1, < 13.10.10 | 13.10.10 |
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 14.0-rc-1, < 14.4.4 | 14.4.4 |
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 14.5, < 14.8-rc-1 | 14.8-rc-1 |
Affected products
1- Range: >= 6.0-rc-1, < 13.10.10
Patches
1e4f7f68e93cbXWIKI-19994: False positive redirect checking
2 files changed · +131 −1
xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/XWikiServletResponse.java+8 −1 modified@@ -38,7 +38,7 @@ public class XWikiServletResponse implements XWikiResponse { private static final Logger LOGGER = LoggerFactory.getLogger(XWikiServletResponse.class); - private static final Pattern ABSOLUTE_URL_PATTERN = Pattern.compile("[a-z0-9]+://.*"); + private static final Pattern ABSOLUTE_URL_PATTERN = Pattern.compile("[a-z0-9]+:/[/]?.*"); private HttpServletResponse response; @@ -71,6 +71,13 @@ public void sendRedirect(String redirect) throws IOException return; } + if (StringUtils.startsWith(redirect, "//")) { + LOGGER.warn("Possible phishing attack, attempting to redirect to [{}]. If this request is legitimate, " + + "use an actual absolute URL and pay attention to configure properly url.trustedDomains in " + + "xwiki.properties", redirect); + return; + } + // check for trusted domains, only if the given location is an absolute URL. if (ABSOLUTE_URL_PATTERN.matcher(redirect).matches()) { if (!getURLSecurityManager().isDomainTrusted(new URL(redirect))) {
xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/web/XWikiServletResponseTest.java+123 −0 added@@ -0,0 +1,123 @@ +/* + * See the NOTICE file distributed with this work for additional + * information regarding copyright ownership. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package com.xpn.xwiki.web; + +import java.io.IOException; +import java.net.URL; + +import javax.servlet.http.HttpServletResponse; + +import org.apache.ecs.wml.U; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.xwiki.component.manager.ComponentManager; +import org.xwiki.test.annotation.BeforeComponent; +import org.xwiki.test.junit5.mockito.ComponentTest; +import org.xwiki.test.junit5.mockito.InjectMockComponents; +import org.xwiki.test.junit5.mockito.MockComponent; +import org.xwiki.test.mockito.MockitoComponentManager; +import org.xwiki.url.URLSecurityManager; + +import static org.junit.jupiter.api.Assertions.*; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.never; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +/** + * Tests for {@link XWikiServletResponse}. + * + * @version $Id$ + */ +@ComponentTest +class XWikiServletResponseTest +{ + @MockComponent + private URLSecurityManager urlSecurityManager; + + private XWikiServletResponse servletResponse; + private HttpServletResponse httpServletResponse; + + @BeforeComponent + void beforeComponent(MockitoComponentManager mockitoComponentManager) throws Exception + { + mockitoComponentManager.registerComponent(ComponentManager.class, "context", mockitoComponentManager); + Utils.setComponentManager(mockitoComponentManager); + } + + @BeforeEach + void setup() + { + this.httpServletResponse = mock(HttpServletResponse.class); + this.servletResponse = new XWikiServletResponse(this.httpServletResponse); + } + + @Test + void sendRedirect() throws IOException + { + this.servletResponse.sendRedirect(""); + verify(this.httpServletResponse, never()).sendRedirect(any()); + + this.servletResponse.sendRedirect("/xwiki/\n/something/"); + verify(this.httpServletResponse, never()).sendRedirect(any()); + + this.servletResponse.sendRedirect("//xwiki.org/xwiki/something/"); + verify(this.httpServletResponse, never()).sendRedirect(any()); + + String redirect = "http://xwiki.org/xwiki/something/"; + URL redirectUrl = new URL(redirect); + when(this.urlSecurityManager.isDomainTrusted(redirectUrl)).thenReturn(false); + this.servletResponse.sendRedirect(redirect); + verify(this.httpServletResponse, never()).sendRedirect(any()); + verify(this.urlSecurityManager).isDomainTrusted(redirectUrl); + + redirect = "http:/xwiki.com/xwiki/something/"; + redirectUrl = new URL(redirect); + when(this.urlSecurityManager.isDomainTrusted(redirectUrl)).thenReturn(false); + this.servletResponse.sendRedirect(redirect); + verify(this.httpServletResponse, never()).sendRedirect(any()); + verify(this.urlSecurityManager).isDomainTrusted(redirectUrl); + + redirect = "https://floo"; + redirectUrl = new URL(redirect); + when(this.urlSecurityManager.isDomainTrusted(redirectUrl)).thenReturn(false); + this.servletResponse.sendRedirect(redirect); + verify(this.httpServletResponse, never()).sendRedirect(any()); + verify(this.urlSecurityManager).isDomainTrusted(redirectUrl); + + redirect = "ftp://xwiki.org/xwiki/something/"; + redirectUrl = new URL(redirect); + when(this.urlSecurityManager.isDomainTrusted(redirectUrl)).thenReturn(false); + this.servletResponse.sendRedirect(redirect); + verify(this.httpServletResponse, never()).sendRedirect(any()); + verify(this.urlSecurityManager).isDomainTrusted(redirectUrl); + + this.servletResponse.sendRedirect("/xwiki/something/"); + verify(this.httpServletResponse).sendRedirect("/xwiki/something/"); + + redirect = "http://xwiki.org/foo/"; + redirectUrl = new URL(redirect); + when(this.urlSecurityManager.isDomainTrusted(redirectUrl)).thenReturn(true); + this.servletResponse.sendRedirect(redirect); + verify(this.httpServletResponse).sendRedirect(redirect); + verify(this.urlSecurityManager).isDomainTrusted(redirectUrl); + } +} \ No newline at end of file
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-xwph-x6xj-wggvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-29204ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/e4f7f68e93cb08c25632c126356d218abf192d1eghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp55-vvmf-63mvghsaWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-xwph-x6xj-wggvghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-10309ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-19994ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.