Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-13039

Privilege escalation: User is able to add a page to his watchlist without having the permission

      Szenario:

      create user1 and user2
      user1 has access to space1
      user2 has access to space2

      user1 can add a page to his watchlist by manipulating (using a proxy like webscarab) the postrequest to
      http://localhost:8080/dwr/exec/PageNotification.startWatching.dwr

      and replacing the id contained in parameter c0-param0

      the posted data looks like that

      callCount=1
      c0-scriptName=PageNotification
      c0-methodName=startWatching
      c0-id=215_1221492126248
      c0-param0=string:393224
      xml=true

      This results in the page being added to the users watchlist, displaying the title and the corresponding space, even though the user should not have access to this space at all.

      I have not tested the email functionality since there was no mailserver available for testing wether a message gets sent on change of the watched page.

      IMPORTANT: please confirm receipt of this notification! Depending on the response, we may report the
      vulnerability to publicly available security forums such as CERT (www.cert.org). Our policy is to give
      you at least 30 days grace period prior to any public disclosure.

            [CONFSERVER-13039] Privilege escalation: User is able to add a page to his watchlist without having the permission

            just made title more understandable

            Per Fragemann [Atlassian] added a comment - just made title more understandable

            Code has been updated, and new acceptance tests written to check the behaviour.

            Mark Hrynczak (Inactive) added a comment - Code has been updated, and new acceptance tests written to check the behaviour.

            Hi Thomas,

            The patch for 2.9.1 would be to upgrade to 2.9.2 when it is released.

            Cheers,
            Brian

            Brian Nguyen (Inactive) added a comment - Hi Thomas, The patch for 2.9.1 would be to upgrade to 2.9.2 when it is released. Cheers, Brian

            Thanx for the quick response on all the reportet issues.

            Is this patch also applicable to 2.9.1 since you mention only 2.8.2?

            cheers,

            thomas.

            Thomas Jaehnel added a comment - Thanx for the quick response on all the reportet issues. Is this patch also applicable to 2.9.1 since you mention only 2.8.2? cheers, thomas.

            Attached is the patch for Confluence 2.8.2. To apply the patch

            1. Download the patch
            2. Place the file into /confluence/WEB-INF/classes/com/atlassian/confluence/mail/notification/actions/
              1. Create the folder if it does not exist
            3. Restart Confluence

            Brian Nguyen (Inactive) added a comment - Attached is the patch for Confluence 2.8.2. To apply the patch Download the patch Place the file into /confluence/WEB-INF/classes/com/atlassian/confluence/mail/notification/actions/ Create the folder if it does not exist Restart Confluence

            This has been fixed for the upcoming 2.9.2 and 2.10 releases

            Brian Nguyen (Inactive) added a comment - This has been fixed for the upcoming 2.9.2 and 2.10 releases

            Thomas

            Thanks for the reports, I will be setting the priority to Critical as the issues get scheduled. We wont be releasing 2.9.2 until they are all addressed.

            Cheers
            Matt

            m@ (Inactive) added a comment - Thomas Thanks for the reports, I will be setting the priority to Critical as the issues get scheduled. We wont be releasing 2.9.2 until they are all addressed. Cheers Matt

              bnguyen Brian Nguyen (Inactive)
              9454181e1678 Thomas Jaehnel
              Affected customers:
              0 This affects my team
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: