Intelligence
highVulnerabilityActive

XWiki Platform Path Traversal in Resource Endpoints – Configuration File Disclosure

XWiki's ssx and jsx endpoints fail to sanitize the resource parameter when leading slashes are present, allowing unauthenticated path traversal to read sensitive files like WEB-INF/xwiki.cfg. The PoC demonstrates reliable, low-complexity exploitation that could expose database credentials and system configuration.

S
Sebastion

CVE References

CVE-2026-23734

Affected

XWiki/xwiki-platform (<16.10.17)XWiki/xwiki-platform (<17.4.9)XWiki/xwiki-platform (<17.10.3)XWiki/xwiki-platform (<18.0.0-rc-1)

Vulnerability Description

This is a path traversal (CWE-22) vulnerability in XWiki's stylesheet (ssx) and JavaScript (jsx) serving endpoints. The root cause is insufficient input validation on the resource parameter; the application fails to reject or normalize paths beginning with / before path canonicalization. This allows attackers to break out of the intended resource directory and access arbitrary files readable by the web server process, including configuration files containing database credentials, API keys, and system secrets.

PoC Significance

The disclosed PoC (/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false) is significant because it demonstrates: (1) unauthenticated access – no login required; (2) reliable exploitation – works consistently on Tomcat deployments; (3) high-value target – WEB-INF/xwiki.cfg contains database connection strings and security tokens; (4) low barrier to discovery – standard web reconnaissance will identify ssx/jsx endpoints. The minify=false parameter disables output obfuscation, confirming the attacker receives readable file contents.

Detection Guidance

Web Application Firewall (WAF) rules:

  • Flag HTTP requests to /bin/ssx/* or /bin/jsx/* with resource= parameters containing ../, ..%2F, %2e%2e, leading /, or %2F..
  • Alert on successful (HTTP 200) responses from these endpoints with file extensions .cfg, .xml, .properties, or .yaml in the resource parameter

Log indicators:

  • Search access logs for patterns: GET /bin/(ssx|jsx) with resource= containing traversal sequences
  • Monitor for requests accessing WEB-INF/, META-INF/, or system configuration paths via these endpoints

YARA pattern (HTTP traffic):

rule xwiki_path_traversal_attempt {
  strings:
    $ep1 = "/bin/ssx/" nocase
    $ep2 = "/bin/jsx/" nocase
    $param = "resource=" nocase
    $traversal = /(\.\.\/|\.\.\\/|%2e%2e|%2f\.\.|%2f\.\.)/
  condition: ($ep1 or $ep2) and $param and $traversal
}

Mitigation Steps

Immediate (if patching is delayed):

  1. Deploy WAF rules to block requests matching the detection patterns above
  2. Restrict network access to XWiki administration endpoints (/bin/ssx, /bin/jsx) to trusted networks only
  3. Review access logs for historical exploitation attempts
  4. Rotate database credentials and API keys stored in WEB-INF/xwiki.cfg as a precaution

Short-term (patch deployment):

  • Upgrade to patched versions: 18.0.0-rc-1, 17.10.3, 17.4.9, or 16.10.17 (or later)
  • Test patches in staging before production rollout
  • Verify the patch normalizes leading slashes in the resource parameter before directory traversal checks

Risk Assessment

Likelihood of exploitation: High – The vulnerability requires no authentication, is trivial to exploit, and the PoC is public. Security researchers and opportunistic attackers will probe for affected versions immediately. Threat actor interest: High – Configuration file theft is a standard reconnaissance step; obtained credentials enable lateral movement and persistent access. In-the-wild prevalence: Expected to be significant within 2–4 weeks of advisory publication, particularly against internet-facing XWiki instances. Organizations running XWiki versions <16.10.17 in production should prioritize patching.

Sources

pocpath-traversalinformation-disclosureauthentication-bypassweb-applicationxwikicve-2026-23734resource-enumeration
Back to intelligence