RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: AppFusions Doxygen for Atlassian Confluence Vendor URL: www.appfusions.com Type: Cross-site Scripting [CWE-79] Date found: 2016-06-29 Date published: - CVSSv3 Score: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) CVE: - 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== AppFusions Doxygen for Atlassian Confluence v1.3.3 AppFusions Doxygen for Atlassian Confluence v1.3.2 AppFusions Doxygen for Atlassian Confluence v1.3.1 AppFusions Doxygen for Atlassian Confluence v1.3.0 older versions may be affected too. 4. INTRODUCTION =============== With Doxygen in Confluence, you can embed full-structure code documentation: -Doxygen blueprint in Confluence to allow Doxygen archive imports -Display documentation from annotated sources such as Java (i.e., JavaDoc), C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and UNO/OpenOffice flavors), Fortran, VHDL, Tcl, D in Confluence. -Navigation supports code structure (classes, hierarchies, files), element dependencies, inheritance and collaboration diagrams. -Search documentation from within Confluence -Restrict access to who can see/add what -Doxygen in JIRA also available (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The application offers the functionality to import zipped Doxygen documentations via a file upload to make them available in a Confluence page, but does not properly validate the file format/the contents of the uploaded Doxygen file. Since the uploaded file is basically a zipped archive, it is possible to store any type of file in it like an HTML file containing arbitrary script. In DoxygenFileServlet.java (lines 82-105) the "file" GET parameter is read and used as part of a File object: private void renderContent(HttpServletRequest request, HttpServletResponse response) throws IOException { String pathInfo = request.getPathInfo(); String[] pathInfoParts = pathInfo.split("file/"); String requestedFile = pathInfoParts[1]; File homeDirectory = this.applicationProperties.getHomeDirectory(); String doxygenDir = homeDirectory.getAbsolutePath() + File.separator + "doxygen"; File file = new File(doxygenDir, requestedFile); String contentType = this.getServletContext().getMimeType(file.getName()); if (contentType == null) { contentType = "application/octet-stream"; } response.setContentType(contentType); FileInputStream inputStream = null; ServletOutputStream outputStream = null; try { inputStream = new FileInputStream(file); outputStream = response.getOutputStream(); IOUtils.copy((InputStream)inputStream, (OutputStream)outputStream); } finally { IOUtils.closeQuietly((InputStream)inputStream); IOUtils.closeQuietly((OutputStream)outputStream); } } 6. RISK ======= To successfully exploit this vulnerability, the attacker must be authenticated and must have the rights within Atlassian Confluence to upload Doxygen files (default). The vulnerability allows remote attackers to permanently embed arbitrary script code into the context of an Atlassian Confluence page, which offers a wide range of possible attacks such as redirecting users to arbitrary pages, present phishing content or attacking the browser and its components of a user visiting the page. 7. SOLUTION =========== Update to AppFusions Doxygen for Atlassian Confluence v1.3.4 8. REPORT TIMELINE (DD/MM/YYYY) =============================== 23/08/2016: Discovery of the vulnerability 23/08/2016: Sent preliminary advisory incl. PoC to known mail address 30/08/2016: No response, sent out another notification 30/08/2016: Vendor response, team is working on it 20/10/2016: Vendor releases v1.3.4 which fixes this vulnerability 20/11/2016: Advisory released 9. REFERENCES ============= -
Attachment:
signature.asc
Description: OpenPGP digital signature