VYPR
← All advisories
Moderate severityNVD Advisory· Published May 15, 2023· Updated Jan 22, 2025

URL Redirection to Untrusted Site in XWiki

CVE-2023-32068

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 14.10.4 it's possible to exploit well known parameters in XWiki URLs to perform redirection to untrusted site. This vulnerability was partially fixed in the past for XWiki 12.10.7 and 13.3RC1 but there is still the possibility to force specific URLs to skip some checks, e.g. using URLs like http:example.com in the parameter would allow the redirect. The issue has now been patched against all patterns that are known for performing redirects. This issue has been patched in XWiki 14.10.4 and 15.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.platform:xwiki-platform-oldcoreMaven
< 14.10.414.10.4

Affected products

1

Patches

1
e4f7f68e93cb

XWIKI-19994: False positive redirect checking

https://github.com/xwiki/xwiki-platformSimon UrliSep 5, 2022via ghsa
commit
2 files changed · +131 1
  • xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/XWikiServletResponse.java+8 1 modified
    @@ -38,7 +38,7 @@
 public class XWikiServletResponse implements XWikiResponse
 {
     private static final Logger LOGGER = LoggerFactory.getLogger(XWikiServletResponse.class);
-    private static final Pattern ABSOLUTE_URL_PATTERN = Pattern.compile("[a-z0-9]+://.*");
+    private static final Pattern ABSOLUTE_URL_PATTERN = Pattern.compile("[a-z0-9]+:/[/]?.*");
 
     private HttpServletResponse response;
 
@@ -71,6 +71,13 @@ public void sendRedirect(String redirect) throws IOException
             return;
         }
 
+        if (StringUtils.startsWith(redirect, "//")) {
+            LOGGER.warn("Possible phishing attack, attempting to redirect to [{}]. If this request is legitimate, "
+                + "use an actual absolute URL and pay attention to configure properly url.trustedDomains in "
+                + "xwiki.properties", redirect);
+            return;
+        }
+
         // check for trusted domains, only if the given location is an absolute URL.
         if (ABSOLUTE_URL_PATTERN.matcher(redirect).matches()) {
             if (!getURLSecurityManager().isDomainTrusted(new URL(redirect))) {
  • xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/web/XWikiServletResponseTest.java+123 0 added
    @@ -0,0 +1,123 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package com.xpn.xwiki.web;
+
+import java.io.IOException;
+import java.net.URL;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.ecs.wml.U;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.xwiki.component.manager.ComponentManager;
+import org.xwiki.test.annotation.BeforeComponent;
+import org.xwiki.test.junit5.mockito.ComponentTest;
+import org.xwiki.test.junit5.mockito.InjectMockComponents;
+import org.xwiki.test.junit5.mockito.MockComponent;
+import org.xwiki.test.mockito.MockitoComponentManager;
+import org.xwiki.url.URLSecurityManager;
+
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+/**
+ * Tests for {@link XWikiServletResponse}.
+ *
+ * @version $Id$
+ */
+@ComponentTest
+class XWikiServletResponseTest
+{
+    @MockComponent
+    private URLSecurityManager urlSecurityManager;
+
+    private XWikiServletResponse servletResponse;
+    private HttpServletResponse httpServletResponse;
+
+    @BeforeComponent
+    void beforeComponent(MockitoComponentManager mockitoComponentManager) throws Exception
+    {
+        mockitoComponentManager.registerComponent(ComponentManager.class, "context", mockitoComponentManager);
+        Utils.setComponentManager(mockitoComponentManager);
+    }
+
+    @BeforeEach
+    void setup()
+    {
+        this.httpServletResponse = mock(HttpServletResponse.class);
+        this.servletResponse = new XWikiServletResponse(this.httpServletResponse);
+    }
+
+    @Test
+    void sendRedirect() throws IOException
+    {
+        this.servletResponse.sendRedirect("");
+        verify(this.httpServletResponse, never()).sendRedirect(any());
+
+        this.servletResponse.sendRedirect("/xwiki/\n/something/");
+        verify(this.httpServletResponse, never()).sendRedirect(any());
+
+        this.servletResponse.sendRedirect("//xwiki.org/xwiki/something/");
+        verify(this.httpServletResponse, never()).sendRedirect(any());
+
+        String redirect = "http://xwiki.org/xwiki/something/";
+        URL redirectUrl = new URL(redirect);
+        when(this.urlSecurityManager.isDomainTrusted(redirectUrl)).thenReturn(false);
+        this.servletResponse.sendRedirect(redirect);
+        verify(this.httpServletResponse, never()).sendRedirect(any());
+        verify(this.urlSecurityManager).isDomainTrusted(redirectUrl);
+
+        redirect = "http:/xwiki.com/xwiki/something/";
+        redirectUrl = new URL(redirect);
+        when(this.urlSecurityManager.isDomainTrusted(redirectUrl)).thenReturn(false);
+        this.servletResponse.sendRedirect(redirect);
+        verify(this.httpServletResponse, never()).sendRedirect(any());
+        verify(this.urlSecurityManager).isDomainTrusted(redirectUrl);
+
+        redirect = "https://floo";
+        redirectUrl = new URL(redirect);
+        when(this.urlSecurityManager.isDomainTrusted(redirectUrl)).thenReturn(false);
+        this.servletResponse.sendRedirect(redirect);
+        verify(this.httpServletResponse, never()).sendRedirect(any());
+        verify(this.urlSecurityManager).isDomainTrusted(redirectUrl);
+
+        redirect = "ftp://xwiki.org/xwiki/something/";
+        redirectUrl = new URL(redirect);
+        when(this.urlSecurityManager.isDomainTrusted(redirectUrl)).thenReturn(false);
+        this.servletResponse.sendRedirect(redirect);
+        verify(this.httpServletResponse, never()).sendRedirect(any());
+        verify(this.urlSecurityManager).isDomainTrusted(redirectUrl);
+
+        this.servletResponse.sendRedirect("/xwiki/something/");
+        verify(this.httpServletResponse).sendRedirect("/xwiki/something/");
+
+        redirect = "http://xwiki.org/foo/";
+        redirectUrl = new URL(redirect);
+        when(this.urlSecurityManager.isDomainTrusted(redirectUrl)).thenReturn(true);
+        this.servletResponse.sendRedirect(redirect);
+        verify(this.httpServletResponse).sendRedirect(redirect);
+        verify(this.urlSecurityManager).isDomainTrusted(redirectUrl);
+    }
+}
\ No newline at end of file

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.