High Clarification Sorry, we should have filled in this before making the issue public.
The attached patch can be applied to any version of Confluence from 1.3 - 2.9.1. It works by filtering out URL parameters that are known to be dangerous. To apply the patch, follow the instructions given by Roberto below.
You do not need to patch Confluence 2.9.2 as it already includes this fix.
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[CONFSERVER-13092] Provide Patch for XWork ParametersInterceptor attacks
xin
added a comment - I installed the patch on 2.8.2. Only got blank page if I add ?bootstrapManager=cheese to some urls (i.e. http://localhost:8080/dashboard.action). Got System Error if adding to some other urls (i.e. http://localhost:8080/display/ds/Creating+a+space). Is this correct?
xin
added a comment - I installed the patch on 2.8.2. Only got blank page if I add ?bootstrapManager=cheese to some urls (i.e. http://localhost:8080/dashboard.action ). Got System Error if adding to some other urls (i.e. http://localhost:8080/display/ds/Creating+a+space ). Is this correct? 
Roberto Dominguez
added a comment - OK, I figured it out myself, this is what I did:
- Add the above class file into your installation jar file, as per http://confluence.atlassian.com/display/DOC/Editing+files+within+.jar+archives *but don't repackage it yet (you might need to created a new directory xwork within com.atlassian.confluence)
- You need to register the new interceptor in xwork.xml:
- Edit the file xwork.xml that is located in the root of the exploded jar
- Add the following line right after the <interceptors> (note that it should be the very first interceptor on the list:
<interceptor name="safeparams" class="com.atlassian.confluence.xwork.ParameterFilterInterceptor"/>
- Now add the reference to the new interceptor, right before <interceptor-ref name="transaction"/>:
<interceptor-ref name="safeparams"/>
- Now repackage the jar file, copy it to the right location and start the server
- To make sure the interceptor was install properly, try adding an offending parameter to any url, i.e. ?bootstrapManager=cheese. You should get a blank screen and and error should be logged.
try it on a test/dev environment first!
Happy patching!
Disclaimer: YMMV. tested on 2.8.2, provided as is, no liability, etc, etc
Roberto Dominguez
added a comment - OK, I figured it out myself, this is what I did:
Add the above class file into your installation jar file, as per http://confluence.atlassian.com/display/DOC/Editing+files+within+.jar+archives *but don't repackage it yet (you might need to created a new directory xwork within com.atlassian.confluence )
You need to register the new interceptor in xwork.xml :
Edit the file xwork.xml that is located in the root of the exploded jar
Add the following line right after the <interceptors> (note that it should be the very first interceptor on the list:
<interceptor name="safeparams" class="com.atlassian.confluence.xwork.ParameterFilterInterceptor"/>
Now add the reference to the new interceptor, right before <interceptor-ref name="transaction"/> :
<interceptor-ref name="safeparams"/>
Now repackage the jar file, copy it to the right location and start the server
To make sure the interceptor was install properly, try adding an offending parameter to any url, i.e. ?bootstrapManager=cheese . You should get a blank screen and and error should be logged.
try it on a test/dev environment first!
Happy patching!
Disclaimer: YMMV. tested on 2.8.2, provided as is, no liability, etc, etc
Roberto Dominguez
added a comment - Could somebody elaborate on how this is to be installed? i.e. how/where to register the interceptor
Roberto Dominguez
added a comment - Could somebody elaborate on how this is to be installed? i.e. how/where to register the interceptor Implemented an XWork interceptor that will filter out known-bad parameters, did an audit on actions to make sure there were no further unsafe uses of ContainerManager-loaded components.
If we compile the ParameterFilterInterceptor class with Java 1.4, we should be able to distribute it as a patch for pre-2.9 Confluence instances.
Xin, If you are only experiencing errors on the request that forged the bootstrapManager parameter (and its not affecting any other session or the server in any way) then its working as expected.