lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 20 Sep 2012 01:43:38 +0000
From: Robert Gilbert <>
To: "''" <>,
  "''" <>
Subject: [CVE-ID REQUEST] Atlassian Confluence - Multiple Cross-Site Request
 Forgery (CSRF) Vulnerabilities

Product: Confluence
Vendor: Atlassian
Version: 3.0 / Current
Tested Version: 3.4.6
Vendor Notified Date: June 31, 2011
Release Date: September 19, 2012
Risk: Medium
Authentication: Depends on configuration.
Remote: Yes

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Confluence 3.0 and below allow remote attackers to submit actions on their behalf. Newer versions may also be vulnerable.
Pages that allow a potential attacker to add images (such as in the comments sections) allow CSRF. By not properly checking each URL, an attacker can execute requests on behalf of a legitimate user. 
As a proof-of-concept,  a comment is added to a page which includes the logout URL inside the wiki markup image tags. Whenever anyone visits that page they are automatically logged out because the page attempts to load the image and executes the 'src=url'. This comment can be added to anyone's profile, which would force them to be logged out the moment they login. This can be used for more complex attacks too but going beyond the POC was not necessary.

Exploit POC:
1. Add comment.
2. !|border=1!

Vendor Notified: Yes
Vendor Response: Requested time to resolve.
Vendor Update: 1.5 years later, marked as "Resolution: Won't Fix"


Robert Gilbert
Senior Consultant
HALOCK Security Labs, Purpose Driven Security(tm)
rgilbert [-at-] halock [-dot-] com

Note: This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, and/or confidential. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and delete this message immediately.

Powered by blists - more mailing lists