Medium In confluence-core/confluence/src/java/com/atlassian/confluence/links/DefaultReferralManager.java the DefaultReferralManager class the deleteReferrersWithPrefix method is vulnerable to sql injection through the user controlled 'prefix' parameter. It is possible to exploit this issue as an Admin user through the 'Manage Referrers' admin resource by adding a 'Referrer URL Prefix' which contains ' followed by some sql and then selecting 'purge' or 'delete' on the given URL prefix.
The vulnerable code appears as follows:
/**
* potential for mass deletes in this operation. more efficient to use direct jdbc than to do it through hibernate
*
* @param prefix
*/
public int deleteReferrersWithPrefix(String prefix)
{
Session session = SessionFactoryUtils.getSession(sessionFactory, true);
int totalLinksPurged = 0;
PreparedStatement ps = null;
ResultSet rs = null;
try
{
Connection c = session.connection();
String mysql = "select count(*) from EXTRNLNKS where URL LIKE '" + prefix + "%'";
ps = c.prepareStatement(mysql);
rs = ps.executeQuery();
rs.next();
totalLinksPurged = rs.getInt(1);
mysql = "delete from EXTRNLNKS where URL LIKE '" + prefix + "%'";
ps = c.prepareStatement(mysql);
ps.execute();
//clear hibernate caches, since we used direct jdbc above to be consistent
sessionFactory.evictQueries();
sessionFactory.evict(ReferralLink.class);
}
catch (HibernateException e)
{
log.error("Can't delete referrer with prefix: "+ prefix, e);
}
catch (SQLException e)
{
log.error("Can't delete referrer with prefix: "+ prefix, e);
}
finally
{
JDBCUtils.close(rs);
JDBCUtils.close(ps);
}
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page"){kind=icon}
[CONFSERVER-26799] SQL injection in DefaultReferralManager
| Labels | Original: affects-server cvss-high security sqli | New: affects-server cvss-high injection security sqli |
| Workflow | Original: JAC Bug Workflow v3 [ 2902160 ] | New: CONFSERVER Bug Workflow v4 [ 2996748 ] |
| Workflow | Original: JAC Bug Workflow v2 [ 2799286 ] | New: JAC Bug Workflow v3 [ 2902160 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Workflow | Original: JAC Bug Workflow [ 2733218 ] | New: JAC Bug Workflow v2 [ 2799286 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2392868 ] | New: JAC Bug Workflow [ 2733218 ] |
| Remote Link | New: This issue links to "Page (Extranet)" [ 360687 ] |
| Remote Link | New: This issue links to "Page (Extranet)" [ 341274 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 [ 2275787 ] | New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2392868 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2234354 ] | New: Confluence Workflow - Public Facing - Restricted v5 [ 2275787 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2196680 ] | New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2234354 ] |