XWiki Platform Unauthenticated XAR Import via REST API - Authentication Bypass

Vulnerability Description

This is an authentication bypass vulnerability in the XWiki Platform REST API endpoint POST /wikis/{wikiName}. The XAR (XWiki Archive) import functionality fails to perform any authentication or authorization validation before processing import requests. XAR is XWiki's serialization format for wiki content, including pages, attachments, and metadata. The vulnerability allows unauthenticated attackers to directly invoke the import mechanism, bypassing the intended access controls. The root cause is missing pre-request authentication middleware or filter on this specific endpoint.

Proof-of-Concept Significance

The disclosed PoC demonstrates that an attacker requires only network access to the XWiki instance and knowledge of the target wiki name—no credentials or session tokens are needed. The attack is reliable because the vulnerability exists at the API layer before any authorization logic executes. Preconditions are minimal: only that the XWiki instance is accessible and the REST API endpoint is enabled (default configuration). The PoC validates that POST requests with malicious XAR payloads will be processed, enabling document creation, updates, or potential code execution depending on XAR payload content.

Detection Guidance

HTTP Access Logs:

Monitor for unauthenticated POST requests to /wikis/*/ endpoints (note the path pattern)
Flag requests lacking valid session cookies or Authorization headers
Correlate POST requests to this endpoint with missing authentication context in application logs

Application Logs:

Search XWiki logs for XAR import operations initiated without authenticated user context
Look for import activities from IP addresses without corresponding login events
Alert on XAR processing errors combined with unauthenticated request patterns

IDS/WAF Signatures:

Pattern: POST /wikis/[a-zA-Z0-9_-]+/? without valid session token
Payload inspection: XAR files (ZIP archives with .xar extension or XML content) in request body from unauthenticated sources

Mitigation Steps

Immediate Actions:

Apply security patches to XWiki Platform: upgrade to 16.10.17, 17.4.9, 17.10.3, 18.0.1, or 18.1.0-rc-1 or later
HTTP proxy workaround (temporary): Block all POST requests to /wikis/{wikiName} and /wikis/{wikiName}/ at the reverse proxy/WAF layer until patching
Restrict API access: Limit REST API exposure to trusted networks via firewall rules

Configuration Hardening:

Disable the REST API entirely if not required
Implement IP allowlisting for REST API consumers
Enable request authentication at the reverse proxy layer (API gateway)
Enforce TLS for all API communications

Long-term:

Audit other unauthenticated REST endpoints for similar bypass patterns
Implement centralized authentication middleware that cannot be bypassed per-endpoint
Add automated security testing for authentication on all API routes

Risk Assessment

Likelihood of exploitation in the wild: Very High. This is a zero-interaction, unauthenticated vulnerability with trivial exploitation requirements. Public disclosure increases attack likelihood significantly.

Threat actor interest: High. Content management systems are frequently targeted; attackers can modify pages to host malware, deface content, inject redirects, or establish persistence.

Business impact: Critical—wiki content is mission-critical in many organizations for documentation, collaboration, and knowledge management. Unauthorized modifications could compromise data integrity, availability, and user trust. Potential for lateral movement if XAR payloads support code execution.

Exploitation difficulty: Extremely low—only requires sending a POST request with appropriate XAR content to an exposed endpoint.