Details
-
Bug
-
Resolution: Fixed
-
Highest
-
5.2.2
Description
If Bamboo is configured for HTTPS connections, then the following happens. It does not occur when Bamboo is configured as HTTP://
Description
Bamboo has an open redirect on the login page which allows redirection to external sites. The os_destination parameter on the userlogin page (and other pages once logged in - see technical details below) allows you to redirect to any site if the URL is prefixed with two slashes.
Attack Scenario
This feature can help an attacker running a phishing scheme since many users only look at the domain name of a link before clicking on it and they will think they are going to a regular Bamboo page when in fact they are being redirected to a malicious site.
More info can be found in CWE-601 and the WASC page on open redirects.
Reproduction
- Browse to the following link (replacing bamboo.example.com with your own test server).
- https://bamboo.example.com/userlogin!default.action?os_destination=%2F%2Fatlassian.com
- Log in, and see that your browser is redirected to atlassian.com.
Obviously, an attacker would have this redirect a victim to the attacker's own malicious site, not to atlassian.com. Also note that if you are already logged into Bamboo, browsing to the above link will redirect you immediately to the malicious site.
Technical Details
A HTTP 302 redirect is performed on the os_destination parameter. An example response looks like this:
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
X-Seraph-LoginReason: OK
Location: https://atlassian.com
Content-Length: 0
Date: Tue, 22 Apr 2014 23:36:51 GMT
I was only able to get redirects to work if the redirect URL begins with // (or %2F%2F when URL-encoded). Having special characters (such as the colon in http://) will redirect the user to the dashboard page, so it seems you can't redirect to the user to links with any other protocols.
If the user is already logged in, it doesn't seem to matter which page the os_destination parameter is on. Even if it's a page that doesn't exist, it will still redirect the user immediately. For example:
https://bamboo.example.com/ThisCanBeAnything?os_destination=%2F%2Fatlassian.com
https://bamboo.example.com/AnythingYouWant?os_destination=%2F%2Fatlassian.com
I tested this on version 5.2.2 of Bamboo, but it's possible other versions are vulnerable as well.
Solution
Confluence solves this problem by concatenating the site's URL with the contents of os_destination. So for our above example, it would redirect you to https://bamboo.example.com//atlassian.com which is still an example.com site.
Alternatively, you could have any os_destination that begins with // just redirect the user to the dashboard like what is done with special characters.
Finally, if having a redirect to another domain via a URL parameter is a useful feature, you could have a page warning people they are about to leave Bamboo.
