BugTraq
[RCESEC-2016-009] AppFusions Doxygen for Atlassian Confluence v1.3.2 renderContent() Persistent Cross-Site Scripting Nov 20 2016 04:59PM
Julien Ahrens (info rcesecurity com)
RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: AppFusions Doxygen for Atlassian Confluence
Vendor URL: www.appfusions.com
Type: Cross-site Scripting [CWE-79]
Date found: 2016-06-29
Date published: -
CVSSv3 Score: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
CVE: -

2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.

3. VERSIONS AFFECTED
====================
AppFusions Doxygen for Atlassian Confluence v1.3.3
AppFusions Doxygen for Atlassian Confluence v1.3.2
AppFusions Doxygen for Atlassian Confluence v1.3.1
AppFusions Doxygen for Atlassian Confluence v1.3.0
older versions may be affected too.

4. INTRODUCTION
===============
With Doxygen in Confluence, you can embed full-structure code documentation:
-Doxygen blueprint in Confluence to allow Doxygen archive imports
-Display documentation from annotated sources such as Java (i.e., JavaDoc),
C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and
UNO/OpenOffice
flavors), Fortran, VHDL, Tcl, D in Confluence.
-Navigation supports code structure (classes, hierarchies, files), element
dependencies, inheritance and collaboration diagrams.
-Search documentation from within Confluence
-Restrict access to who can see/add what
-Doxygen in JIRA also available

(from the vendor's homepage)

5. VULNERABILITY DETAILS
========================
The application offers the functionality to import zipped Doxygen
documentations via a file upload to make them available in a Confluence
page, but does not properly validate the file format/the contents of the
uploaded Doxygen file. Since the uploaded file is basically a zipped
archive, it is possible to store any type of file in it like an HTML
file containing arbitrary script.

In DoxygenFileServlet.java (lines 82-105) the "file" GET parameter is read
and used as part of a File object:

private void renderContent(HttpServletRequest request,
HttpServletResponse response) throws IOException {
String pathInfo = request.getPathInfo();
String[] pathInfoParts = pathInfo.split("file/");
String requestedFile = pathInfoParts[1];
File homeDirectory = this.applicationProperties.getHomeDirectory();
String doxygenDir = homeDirectory.getAbsolutePath() + File.separator
+ "doxygen";
File file = new File(doxygenDir, requestedFile);
String contentType =
this.getServletContext().getMimeType(file.getName());
if (contentType == null) {
contentType = "application/octet-stream";
}
response.setContentType(contentType);
FileInputStream inputStream = null;
ServletOutputStream outputStream = null;
try {
inputStream = new FileInputStream(file);
outputStream = response.getOutputStream();
IOUtils.copy((InputStream)inputStream, (OutputStream)outputStream);
}
finally {
IOUtils.closeQuietly((InputStream)inputStream);
IOUtils.closeQuietly((OutputStream)outputStream);
}
}

6. RISK
=======
To successfully exploit this vulnerability, the attacker must be
authenticated and must have the rights within Atlassian Confluence to
upload Doxygen files (default).

The vulnerability allows remote attackers to permanently embed arbitrary
script code into the context of an Atlassian Confluence page, which
offers a wide range of possible attacks such as redirecting users to
arbitrary pages, present phishing content or attacking the browser and
its components of a user visiting the page.

7. SOLUTION
===========
Update to AppFusions Doxygen for Atlassian Confluence v1.3.4

8. REPORT TIMELINE (DD/MM/YYYY)
===============================
23/08/2016: Discovery of the vulnerability
23/08/2016: Sent preliminary advisory incl. PoC to known mail address
30/08/2016: No response, sent out another notification
30/08/2016: Vendor response, team is working on it
20/10/2016: Vendor releases v1.3.4 which fixes this vulnerability
20/11/2016: Advisory released

9. REFERENCES
=============
-

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYMdZgAAoJELLTnL9hzYr6BNsP/iFY04wqqbsq0dpOj+KCyIn0
Ve8ABKUr0KjqWJzfyA4eccsaUC7TowOlMFVZ01QEvxBrFKsC7uTjWZ3l4/sMj6V+
PjasMMomwmFbTY64n3NsecN/N91SNrHIDMKtEOVDWeBsU6TuUlv+SjlhIqNCSO4z
1IfYz3azmzBxWj6qTQHV2INcodK21TzpZ3oeaa+gOlyqmbiNJ9MGdkLcwiE8qoXt
vBE06PFoZri2Vj+nXwyeQUXMlEbGKllB6OEB3F6Ze+0ZhmzGSjNsa5oS/3BujpJX
z8aCC6oAzbkwMXDynd0Ay+3vSbsFIK2bheKhDDJFdsd0m9GSe3bR30qWvgbHo3ix
f6PVgT2j11h4KIdmCLkXds9O666h20SKx4O15OeFrfK8Qp+i+NBIfIPsMjfnWvP9
AqJuRpYzAG7e7zqBMz7ExtK6HxwfM2DJOEmpnz/ICDVP1BzeIXZaFfnrjREIRXej
CFAKuEknF5YxcMM/nb2MOjoVawHDo728Cy/oVq/fOs6JJ+49mGldK2/4iBlbMq7T
JsbnweN7TsS20mJanJivfI0P+hHBk2VMkdSodPJUatGKp4yOiOHEW/AYxUDh9QV9
iyCGPWZp0iA5tvKi7p8Q4H5fmqv22XBEQvK4xQg6ZfZPqYIVKFEu+Xevj6aGO6/b
+VQN4plPR7XQJ6tl+jdZ
=ZbrE
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus