SEC Consult Vulnerability Lab Security Advisory < 20170613-0 >
=======================================================================
title: Access Restriction Bypass
product: Atlassian Confluence
vulnerable version: 4.3.0 - 6.1.1
fixed version: 6.2.1
CVE number: -
impact: Medium
homepage: https://www.atlassian.com/
found: 2017-03-27
by: Mathias Frank (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"In 2002, our founders, Scott Farquhar and Mike Cannon-Brookes, set
conventional wisdom on its ear by launching a successful enterprise
software company with no sales force. From Australia. Our first product, JIRA,
proved that if you make a great piece of software, price it right, and make
it available to anyone to download from the internet, teams will come. And
they'll build great things with it. And they'll tell two friends, and so on,
and so on.
Today a lot has changed. We're over 1,700 Atlassians (and growing), in six
locations, with products to help all types of teams realize their visions and
get stuff done. But the fundamentals remain the same. We're for teams because
we believe that great teams can do amazing things. We're not afraid to do
things differently. And we're driven by an inspiring set of values that shape
our culture and our products for the better."

Source: https://www.atlassian.com/company

Business recommendation:
------------------------
SEC Consult recommends to upgrade to the latest version available which fixes
the identified issue.

Vulnerability overview/description:
-----------------------------------
1) Access Restriction Bypass
The "watch" functionality provides a user the option to subscribe to specific
content. Furthermore, the user gets a notification for any new comment made to the
previously subscribed content.

A user can manually subscribe to pages which he is not able to view and he then
receives any further comment made on the restricted page.

Proof of concept:
-----------------
1) Access Restriction Bypass
Prerequisite as admin user just for a proof of concept demo page:
* Create a Space "Demo Space" visible for every user and group
* Create a Page "Demo Page" (example pageID: 1048582) and restrict the
"Viewing and editing restriction" to only the administrator group/user with
the "/pages/getcontentpermissions.action" function.

Send the following request as user:
------------------------------------------------------------------------
------
POST /users/addpagenotificationajax.action HTTP/1.1
Host: localhost:8090
Referer: http://localhost:8090/display/ds/Welcome+to+Confluence
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
[...]

pageId=1048582&atl_token=1b5ee6615c44e4067679ccfa6e5904f0e42e8eb7
------------------------------------------------------------------------
------

Then the user is subscribed to the "Demo Page" and receives a notification and is
able to receive any further comments made on the subscribed page.

Vulnerable / tested versions:
-----------------------------
The following version has been tested by SEC Consult
Atlassian Confluence version 5.9.14 and 6.1.1

Atlassian believes that versions beginning from 4.3.0 before 6.2.1 are affected.

Vendor contact timeline:
------------------------
2017-04-03: Contacting vendor through security (at) atlassian (dot) com [email concealed]
2017-04-05: Vendor confirmed the vulnerability and issued the references
CONFSERVER-52241 (Confluence Server) and CONFCLOUD-54634 (Confluence
Cloud)
2017-04-13: Vendor fixed the issue CONFCLOUD-54634.
2017-05-11: Asked for planned timeline and release of an fix for CONFSERVER-52241.
2017-05-29: Vendor released a fix for CONFSERVER-52241 with version 6.2.1.
2017-06-08: Vendor prepares a sanitised copy of CONFSERVER-52241 for release along
with the advisory - https://jira.atlassian.com/browse/CONFSERVER-52560
2017-06-13: Public release of advisory.

Solution:
---------
Upgrade to version 6.2.1 available at:
https://www.atlassian.com/software/confluence/download
The effectiveness of the fix was verified by the SEC Consult Vulnerability Lab.

https://jira.atlassian.com/browse/CONFSERVER-52560

Workaround:
-----------
Disable workbox notifications as per the instructions found at
https://confluence.atlassian.com/doc/configuring-workbox-notifications-3
01663830.html

Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Mathias Frank / @2017

0? *?H?÷

 ?0?

10
 `?H
e
0? *?H?÷


 ?0?¯0?? 
à#Ë?S?­anzTgk!0
 *?H?÷


0o10 USE10U
AddTrust AB1&0$UAddTrust External TTP Network1"0 UAddTrust External CA Root0
141222000000Z
200530104838Z0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0?
"0
 *?H?÷



?
0?

?

?±
ÚzSNpR¼V¦&·¸Ià?çQ«ñðZI£´?`¼zQB§y?¤"ßaN?Õv#
ÓJ¶ ?n¥=Ùº»þ¡?©.CRC|¯2PȦOZéØÏ?%?{?è0dæ¤øV?ý*$3?¬Dåi?£FKÂ3Ôé@?°±¬?@¹
µ?:?*S£Û= a<U?ÙNv%!)ú£|qvOîá_éûT?ÛÃ{5R·?Þ"=,0-1Y½R7°3i-CëúÖ¥ñ?wgQ?Ùî'ë¼¥8v?¤©
8ÿß?õ¬I¾Ê÷s?:2«??:=F:WtaP¾Æ@?Ëäâ?¢!

£?
0?
0U#0?­½?z4´&÷
úÄ&Tï½à$ËT0U?ak?ᢠªOìgñ£÷´?Áì0U

ÿ
?0U

ÿ0


ÿ
0U%0+
+
0U 
00U 0DU=0;09 7 5?3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
+


)0'0%+
0
?http://ocsp.usertrust.com0
 *?H?÷


?

*n¬UÁ:«?ÅØíÍUóªka+À #?Åfjo±õ´µw^aß}þ³¤??üû[jr
A¼ºÁXÕ&ÂêÕM?ûþ??ÏXã"c?Rø»6«}X¥Þ«;cåÚÕsïìàû{â£ÿðB#?ʶM>äK²¨-ÔØ»BKi
?Û¦74è{à
¥?Ê:Ç?O?4n?eÐ?»©ÜÊÊ6ÑôüÂd)5¯Ö±§qÒC±>?ì?2Sôv?Ê?4¹,ÊæJØ?
Á?â?ûZBj#!éeÇõÕ»~ê?? bêÑ:,YÅ?3ò8?å¶ézyöJ&ú|?û?0?a0?I 
+?þ%³`??5T«´0
 *?H?÷


0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0
170301000000Z
200229235959Z0?
W10 UAT1
0U270010UNiederoesterreich10UWr. Neustadt10U Komarigasse 14/11.0,U
%SEC Consult Unternehmensberatung GmbH1I0GU@Issued through SEC Consult Unternehmensberatung GmbH E-PKI Manag10UCorporate Secure Email1&0$USEC Consult Vulnerability Lab1'0% *?H?÷


research (at) sec-consult (dot) com0 [email concealed]?
"0
 *?H?÷



?
0?

?

çââ³×p¼¬ÉÓ#ëäoú=1XÏsÍldhmþ·}jµ?ýySüx??¡%Vl´9«ÖHÍO½ËZ|¢ò?q4äËg?7ò?ù?t¥Á±å1Pzò¦<*WÒj,?%x?? ä??F¼ÜpF/*ÛЩk*TÅöb²??ÖӏñÏZ?QP´?wH;qf¢?r5·ÉyhXcü(#1~ ôYS"YÐ`U
?øô¤rP1u^ËØP.ëë?f}SÅäÖ[Hd¥¢áorà­ÔB?{u·@J·²¨°×®6vL±
h:?i -V£?ËLBóa

£?
à0?
Ü0U#0??ak?ᢠªOìgñ£÷´?Áì0U

G?gx.§~¢Òü¥El?%0U

ÿ 0U

ÿ00U%0+
+
0FU ?0=0;+

²1

0+0)+

https://secure.comodo.net/CPS0]UV0T0R P
 N?Lhttp://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEma
ilCA.crl0+


?0?0X+
0?Lhttp://crt.comodoca.com/COMODOS
HA256ClientAuthenticationandSecureEmailCA.crt0$+
0
?http://ocsp.c
omodoca.com0#U0research (at) sec-consult (dot) com0 [email concealed]
 *?H?÷


?

CÑË×úpÿtR

ðH§Àz7!]J ºæû¼]¨µX i?òÉ£­©cwSÀ/?­?ÓOÑ:þÚøw?P[
óü¹ÁÒ&©ã?ü-6?L5Y?ù6àòÀõ$Äð?z¼.È?ïNþ±ñ?øK×ÈV ® ¯ä@nÞ9ó¹Rk«*Ò¶èDÞÞ
(D'I5Ëé
{Ë­à¦]FϨújRO^pº=õ?æ?18!??¤q µa=c@2ÞTC?ïþ´4?~-?ø¿À?Hÿ¹¨r.ÁØØXW?YÊÆ?á:??ZÔûµ4àÒ2CSq3»?`Û?I?Ö²Ë3gj?ù»ºx1?A0?=

0°0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0
 `?H
e
 ?a0 *?H?÷

1 *?H?÷


0 *?H?÷

1
170613082237Z0/ *?H?÷

1" ðÚë?ñÆAÉ=vÈ?9±ÕH>?ë ÔÅcák<\õ«0l *?H?÷

1_0]0 `?H
e
*0 `?H
e
0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0Á +

?71³0°0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0Ã*?H?÷

1³ °0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0
 *?H?÷



?
?°í 0m³Yþß@ú?Þl?W¶ÁüÛ?¼y?®ùðꥼj¶
Ån=??á
??ør,?¹wiè?ϐ»éÉR?L³Ç+/²q5 ·ÆMQL¸?Þ??;g?Ã,c*ÿ;¸[5¾Ym0zY9ô¯}l??C¦ð??÷+`¬£÷ïN¸ R?¬»3üá?V??ìp[Ý?t'ý7G¿½÷¼óS[à ñêðÌj² Í¿´@-õ³4eX?Æ?¸ÂµX~oY+àÓÁJ?Ôtààd|?9?é\è+?ÁuÔ0EÓ#Þüñ?úz2ö¬úe?ÂFîüî÷

[ reply ]