BugTraq
[RCESEC-2016-008] AppFusions Doxygen for Atlassian Confluence v1.3.2 renderContent() Full Path Information Disclosure Nov 20 2016 04:56PM
Julien Ahrens (info rcesecurity com)
RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: AppFusions Doxygen for Atlassian Confluence
Vendor URL: www.appfusions.com
Type: Information Exposure Through an Error Message [CWE-209]
Date found: 2016-06-29
Date published: -
CVSSv3 Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVE: -

2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.

3. VERSIONS AFFECTED
====================
AppFusions Doxygen for Atlassian Confluence v1.3.3
AppFusions Doxygen for Atlassian Confluence v1.3.2
AppFusions Doxygen for Atlassian Confluence v1.3.1
AppFusions Doxygen for Atlassian Confluence v1.3.0
older versions may be affected too.

4. INTRODUCTION
===============
With Doxygen in Confluence, you can embed full-structure code documentation:
-Doxygen blueprint in Confluence to allow Doxygen archive imports
-Display documentation from annotated sources such as Java (i.e., JavaDoc),
C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and
UNO/OpenOffice
flavors), Fortran, VHDL, Tcl, D in Confluence.
-Navigation supports code structure (classes, hierarchies, files), element
dependencies, inheritance and collaboration diagrams.
-Search documentation from within Confluence
-Restrict access to who can see/add what
-Doxygen in JIRA also available

(from the vendor's homepage)

5. VULNERABILITY DETAILS
========================
The application offers the functionality to import Doxygen
documentations via a file upload to make it available in a Confluence
page, but does not properly validate the "file" HTTP GET parameter,
which is used to retrieve the uploaded contents.

In DoxygenFileServlet.java (lines 82-105) the "file" GET parameter is
read and used as part of a File object:

private void renderContent(HttpServletRequest request,
HttpServletResponse response) throws IOException {
String pathInfo = request.getPathInfo();
String[] pathInfoParts = pathInfo.split("file/");
String requestedFile = pathInfoParts[1];
File homeDirectory = this.applicationProperties.getHomeDirectory();
String doxygenDir = homeDirectory.getAbsolutePath() + File.separator
+ "doxygen";
File file = new File(doxygenDir, requestedFile);
String contentType =
this.getServletContext().getMimeType(file.getName());
if (contentType == null) {
contentType = "application/octet-stream";
}
response.setContentType(contentType);
FileInputStream inputStream = null;
ServletOutputStream outputStream = null;
try {
inputStream = new FileInputStream(file);
outputStream = response.getOutputStream();
IOUtils.copy((InputStream)inputStream, (OutputStream)outputStream);
}
finally {
IOUtils.closeQuietly((InputStream)inputStream);
IOUtils.closeQuietly((OutputStream)outputStream);
}
}

Since there is no exception handling for the opening of the file, this
results in a local server path disclosure within Atlassian Confluence if
a non-existing page is requested like:

http://localhost:8090/plugins/servlet/doxygen/TEST/file/non-existent

This throws the following Stack Trace revealing the full system path.

Cause

java.io.FileNotFoundException:
/var/atlassian/application-data/confluence/doxygen/non-existent (No such
file or directory)
at java.io.FileInputStream.open0(Native Method)
Stack Trace:[hide]

java.io.FileNotFoundException:
/var/atlassian/application-data/confluence/doxygen/non-existent (No such
file or directory)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.<init>(FileInputStream.java:138)

6. RISK
=======
To successfully exploit this vulnerability, the attacker must be
authenticated and must have the rights within Atlassian Confluence to
read uploaded Doxygen files (default).

The vulnerability allows remote attackers to obtain the local server
path and use it as a supplying information in further attacks like
RCESEC-2016-007.

7. SOLUTION
===========
Update to AppFusions Doxygen for Atlassian Confluence v1.3.4

8. REPORT TIMELINE (DD/MM/YYYY)
===============================
23/08/2016: Discovery of the vulnerability
23/08/2016: Sent preliminary advisory incl. PoC to known mail address
30/08/2016: No response, sent out another notification
30/08/2016: Vendor response, team is working on it
20/10/2016: Vendor releases v1.3.4 which fixes this vulnerability
29/11/2016: Advisory released

9. REFERENCES
=============
-

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYMdWnAAoJELLTnL9hzYr6aigP/1/yn1fN9+/8g5EWUxkv5eTV
BLpIDeSqk0rItFF5DVGODQK9GKR4TqyloAbFGFpQCWKHjkN5tU3jXItSj4L6+kcW
+ZzRmudYxZSUIeDj/Ba1MlVXjfqBPNG7VjY8IBE85FZ5VHkAyZUP9nprRB0xqhd1
un64j84cG988FNMLq3j7kz515xreTPTzpS+HiJszhU3ml3GF2xsbaoDO44DdTFc/
kyeKpUU078xKj9KwZwRv6iU13IWuMyMwBWHptu+o5T1F5tSc8Ta/6ORfTHHYyvNk
g9XfP1tinD+xDFg07MEcdUMKrYuz8iqJDqo6r+dWnaKPHBaz69WsdXPMKzCIXMYQ
a7h4tCxFHCWAQ+Fg4Ox7vI6mzpLi0yntyhoXGwdAgOA7K9NsYbYx3WQ/XelM1Sdh
vz9/TQgY9nchH3wbXknAZuMzIzdp1bIyAw4huAeEhkk7K35gBBVx6vs8wjMkAhHf
Ai52g9ze3pruug3n8a9Wzim2fj/TKYlwQAxBJahfPalbmne/O5G8ulDGUDgQUQh8
pZfIpg9KOzS78l5qiQd9GFVxxmY2o0X5aUQVfZ0EPX65BAcT95Jxe9qOM6bb6sFc
ZRHQ4evlYtEgQXhh+MVLX2GDQi2SUUckGIohHhxjV2ogy+esqOOVVCj5u0miMYiL
edhWltk8lfKVNRollV1T
=aXRs
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus