RCE Security Advisory http://ift.tt/1FlL0Pz 1. ADVISORY INFORMATION ======================= Product: AppFusions Doxygen for Atlassian Confluence Vendor URL: www.appfusions.com Type: Path Traversal [CWE-22] Date found: 2016-06-23 Date published: - CVSSv3 Score: 6.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) CVE: - 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== AppFusions Doxygen for Atlassian Confluence v1.3.0 older versions may be affected too. 4. INTRODUCTION =============== With Doxygen in Confluence, you can embed full-structure code documentation: -Doxygen blueprint in Confluence to allow Doxygen archive imports -Display documentation from annotated sources such as Java (i.e., JavaDoc), C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and UNO/OpenOffice flavors), Fortran, VHDL, Tcl, D in Confluence. -Navigation supports code structure (classes, hierarchies, files), element dependencies, inheritance and collaboration diagrams. -Search documentation from within Confluence -Restrict access to who can see/add what -Doxygen in JIRA also available (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The application offers the functionality to import zipped Doxygen documentations via a file upload to make them available within a Confluence page. However the application does not properly validate the "tempId" parameter, which represents the directory where the contents of the uploaded file will be extracted and stored to. This leads to a path traversal vulnerability when "/../" sequences are used as part of the "tempId" parameter. Since the contents of the uploaded file are extracted to the traversed directory, this vulnerability could also lead to Remote Code Execution. In DoxygenUploadServlet.java (lines 63-64) the "tempId" parameter is read as part of a GET request to "/plugins/servlet/doxygen/upload" and afterwards used in a "getTemporaryDirectory()" call: String tempId = request.getParameter("tempId"); String destination = this.doxygenManager.getTemporaryDirectory(tempId).getAbsolutePath(); The "getTemporaryDirectory()" function is defined in DefaultDoxyGenManager.java (lines 38-41) and constructs a file object based on the "java.io.tmpdir" variable, the static string "/doxygen-temp/", the user-supplied "tempId" and a file separator in between all parts: public File getTemporaryDirectory(String tempId) { File file = new File(System.getProperty("java.io.tmpdir") + File.separator + "doxygen-temp" + File.separator + tempId); return file; } In the subsequent code the uploaded file as represented by the "file" HTTP POST parameter to "/plugins/servlet/doxygen/upload" is extracted to the directory which was built using the "file" object. The following Proof-of-Concept triggers this vulnerability by uploading a zipped file, which will be extracted to "/home/confluence" by the application: POST /plugins/servlet/doxygen/upload?tempId=/../../../../../../home/confluence HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Cache-Control: no-cache X-Requested-With: XMLHttpRequest Content-Length: 966 Content-Type: multipart/form-data; boundary
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment