[CONFSERVER-13039] Privilege escalation: User is able to add a page to his watchlist without having the permission

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 2.9.2, 2.10
Affects Version/s: 2.9, 2.9.1
Component/s: None
Labels:
Environment:

using standalone 2.9.1 win 2003 prof, jdk 1.6
also tested on 2.9 deployed in tomcat 6.0.18

Bug Fix Policy:
View Atlassian Server bug fix policy

Szenario:

create user1 and user2
user1 has access to space1
user2 has access to space2

user1 can add a page to his watchlist by manipulating (using a proxy like webscarab) the postrequest to
http://localhost:8080/dwr/exec/PageNotification.startWatching.dwr

and replacing the id contained in parameter c0-param0

the posted data looks like that

callCount=1
c0-scriptName=PageNotification
c0-methodName=startWatching
c0-id=215_1221492126248
c0-param0=string:393224
xml=true

This results in the page being added to the users watchlist, displaying the title and the corresponding space, even though the user should not have access to this space at all.

I have not tested the email functionality since there was no mailserver available for testing wether a message gets sent on change of the watched page.

IMPORTANT: please confirm receipt of this notification! Depending on the response, we may report the
vulnerability to publicly available security forums such as CERT (www.cert.org). Our policy is to give
you at least 30 days grace period prior to any public disclosure.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

conf_priv_esc.jpg
52 kB
15/Sep/2008 3:57 PM
PageNotificationBean.class
4 kB
19/Sep/2008 3:43 AM

Per Fragemann [Atlassian] added a comment - 24/Nov/2008 12:16 AM

just made title more understandable

Per Fragemann [Atlassian] added a comment - 24/Nov/2008 12:16 AM just made title more understandable

Mark Hrynczak (Inactive) added a comment - 23/Sep/2008 6:26 AM

Code has been updated, and new acceptance tests written to check the behaviour.

Mark Hrynczak (Inactive) added a comment - 23/Sep/2008 6:26 AM Code has been updated, and new acceptance tests written to check the behaviour.

Brian Nguyen (Inactive) added a comment - 21/Sep/2008 11:01 PM

Hi Thomas,

The patch for 2.9.1 would be to upgrade to 2.9.2 when it is released.

Cheers,
Brian

Brian Nguyen (Inactive) added a comment - 21/Sep/2008 11:01 PM Hi Thomas, The patch for 2.9.1 would be to upgrade to 2.9.2 when it is released. Cheers, Brian

Thomas Jaehnel added a comment - 19/Sep/2008 9:15 AM

Thanx for the quick response on all the reportet issues.

Is this patch also applicable to 2.9.1 since you mention only 2.8.2?

cheers,

thomas.

Thomas Jaehnel added a comment - 19/Sep/2008 9:15 AM Thanx for the quick response on all the reportet issues. Is this patch also applicable to 2.9.1 since you mention only 2.8.2? cheers, thomas.

Brian Nguyen (Inactive) added a comment - 19/Sep/2008 2:23 AM

Attached is the patch for Confluence 2.8.2. To apply the patch

Download the patch
Place the file into /confluence/WEB-INF/classes/com/atlassian/confluence/mail/notification/actions/
1. Create the folder if it does not exist
Restart Confluence

Brian Nguyen (Inactive) added a comment - 19/Sep/2008 2:23 AM Attached is the patch for Confluence 2.8.2. To apply the patch Download the patch Place the file into /confluence/WEB-INF/classes/com/atlassian/confluence/mail/notification/actions/ Create the folder if it does not exist Restart Confluence

Brian Nguyen (Inactive) added a comment - 19/Sep/2008 2:02 AM

This has been fixed for the upcoming 2.9.2 and 2.10 releases

Brian Nguyen (Inactive) added a comment - 19/Sep/2008 2:02 AM This has been fixed for the upcoming 2.9.2 and 2.10 releases

m@ (Inactive) added a comment - 18/Sep/2008 7:06 AM

Thomas

Thanks for the reports, I will be setting the priority to Critical as the issues get scheduled. We wont be releasing 2.9.2 until they are all addressed.

Cheers
Matt

m@ (Inactive) added a comment - 18/Sep/2008 7:06 AM Thomas Thanks for the reports, I will be setting the priority to Critical as the issues get scheduled. We wont be releasing 2.9.2 until they are all addressed. Cheers Matt

Assignee:: Brian Nguyen (Inactive)

Reporter:: Thomas Jaehnel

Affected customers:: 0 This affects my team

Watchers:: 0 Start watching this issue

Created:: 15/Sep/2008 3:57 PM

Updated:: 11/Oct/2018 8:36 AM

Resolved:: 23/Sep/2008 6:26 AM

Details

Description

Attachments

Attachments

Forms

Activity

Collapse comment: Per Fragemann [Atlassian] added a comment - 24/Nov/2008 12:16 AM

Expand comment: Per Fragemann [Atlassian] added a comment - 24/Nov/2008 12:16 AM

Collapse comment: Mark Hrynczak (Inactive) added a comment - 23/Sep/2008 6:26 AM

Expand comment: Mark Hrynczak (Inactive) added a comment - 23/Sep/2008 6:26 AM

Collapse comment: Brian Nguyen (Inactive) added a comment - 21/Sep/2008 11:01 PM

Expand comment: Brian Nguyen (Inactive) added a comment - 21/Sep/2008 11:01 PM

Collapse comment: Thomas Jaehnel added a comment - 19/Sep/2008 9:15 AM

Expand comment: Thomas Jaehnel added a comment - 19/Sep/2008 9:15 AM

Collapse comment: Brian Nguyen (Inactive) added a comment - 19/Sep/2008 2:23 AM

Expand comment: Brian Nguyen (Inactive) added a comment - 19/Sep/2008 2:23 AM

Collapse comment: Brian Nguyen (Inactive) added a comment - 19/Sep/2008 2:02 AM

Expand comment: Brian Nguyen (Inactive) added a comment - 19/Sep/2008 2:02 AM

Collapse comment: m@ (Inactive) added a comment - 18/Sep/2008 7:06 AM

Expand comment: m@ (Inactive) added a comment - 18/Sep/2008 7:06 AM

People

Dates