Atlassian Confluence 6.1.1 Access Restriction Bypass
Posted on 13 June 2017
SEC Consult Vulnerability Lab Security Advisory < 20170613-0 > ======================================================================= title: Access Restriction Bypass product: Atlassian Confluence vulnerable version: 4.3.0 - 6.1.1 fixed version: 6.2.1 CVE number: - impact: Medium homepage: https://www.atlassian.com/ found: 2017-03-27 by: Mathias Frank (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "In 2002, our founders, Scott Farquhar and Mike Cannon-Brookes, set conventional wisdom on its ear by launching a successful enterprise software company with no sales force. From Australia. Our first product, JIRA, proved that if you make a great piece of software, price it right, and make it available to anyone to download from the internet, teams will come. And they'll build great things with it. And they'll tell two friends, and so on, and so on. Today a lot has changed. We're over 1,700 Atlassians (and growing), in six locations, with products to help all types of teams realize their visions and get stuff done. But the fundamentals remain the same. We're for teams because we believe that great teams can do amazing things. We're not afraid to do things differently. And we're driven by an inspiring set of values that shape our culture and our products for the better." Source: https://www.atlassian.com/company Business recommendation: ------------------------ SEC Consult recommends to upgrade to the latest version available which fixes the identified issue. Vulnerability overview/description: ----------------------------------- 1) Access Restriction Bypass The "watch" functionality provides a user the option to subscribe to specific content. Furthermore, the user gets a notification for any new comment made to the previously subscribed content. A user can manually subscribe to pages which he is not able to view and he then receives any further comment made on the restricted page. Proof of concept: ----------------- 1) Access Restriction Bypass Prerequisite as admin user just for a proof of concept demo page: * Create a Space "Demo Space" visible for every user and group * Create a Page "Demo Page" (example pageID: 1048582) and restrict the "Viewing and editing restriction" to only the administrator group/user with the "/pages/getcontentpermissions.action" function. Send the following request as user: ------------------------------------------------------------------------------ POST /users/addpagenotificationajax.action HTTP/1.1 Host: localhost:8090 Referer: http://localhost:8090/display/ds/Welcome+to+Confluence Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest [...] pageId=1048582&atl_token=1b5ee6615c44e4067679ccfa6e5904f0e42e8eb7 ------------------------------------------------------------------------------ Then the user is subscribed to the "Demo Page" and receives a notification and is able to receive any further comments made on the subscribed page. Vulnerable / tested versions: ----------------------------- The following version has been tested by SEC Consult Atlassian Confluence version 5.9.14 and 6.1.1 Atlassian believes that versions beginning from 4.3.0 before 6.2.1 are affected. Vendor contact timeline: ------------------------ 2017-04-03: Contacting vendor through security@atlassian.com 2017-04-05: Vendor confirmed the vulnerability and issued the references CONFSERVER-52241 (Confluence Server) and CONFCLOUD-54634 (Confluence Cloud) 2017-04-13: Vendor fixed the issue CONFCLOUD-54634. 2017-05-11: Asked for planned timeline and release of an fix for CONFSERVER-52241. 2017-05-29: Vendor released a fix for CONFSERVER-52241 with version 6.2.1. 2017-06-08: Vendor prepares a sanitised copy of CONFSERVER-52241 for release along with the advisory - https://jira.atlassian.com/browse/CONFSERVER-52560 2017-06-13: Public release of advisory. Solution: --------- Upgrade to version 6.2.1 available at: https://www.atlassian.com/software/confluence/download The effectiveness of the fix was verified by the SEC Consult Vulnerability Lab. https://jira.atlassian.com/browse/CONFSERVER-52560 Workaround: ----------- Disable workbox notifications as per the instructions found at https://confluence.atlassian.com/doc/configuring-workbox-notifications-301663830.html Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Mathias Frank / @2017
