Uploaded image for project: 'Confluence Cloud'
  1. Confluence Cloud
  2. CONFCLOUD-54383

File Attachment persistent XSS

XMLWordPrintable

      There is a persistent XSS vulnerability in the attachment download functionality of Confluence. By uploading a malicious executable file type like SVG (scalable vector graphics with embedded JavaScript), it’s possible for an attacker to execute arbitrary code under the context of the logged in user.

      The following screenshot demonstrates this vulnerability being exploited:

      It's recommended the attachment handling code have a white list of known good mime-types that can be rendered inline. For everything else, the HTTP headers for content-type and content-disposition should be set to “application/x-download” and “attachment;" respectively.

        1. PersistentXSS.PNG
          61 kB
        2. schema.svg
          2 kB

            [CONFCLOUD-54383] File Attachment persistent XSS

            David Black added a comment -

            Closing this issue as CONFDEV-9069 has now been fixed.

            David Black added a comment - Closing this issue as CONFDEV-9069 has now been fixed.

            David Black added a comment -

            Ideally a whitelist approach would be used. However, for the moment the approach that JIRA took is being merged into confluence. That is, provide:
            1. a default level that blacklists certain content-types and allow to be sent INLINE (Content-disposition: inline)
            2. a secure level where all attachments are sent as downloads (Content-disposition: attachment)
            3. an insecure level where attachments are sent INLINE (Content-disposition: inline)

            The current 'default level' blacklist approach needs to be swapped for a whitelist approach so as to keep up with future browser download behaviour changes. However, as a start it will use a blacklist approach.

            David Black added a comment - Ideally a whitelist approach would be used. However, for the moment the approach that JIRA took is being merged into confluence. That is, provide: 1. a default level that blacklists certain content-types and allow to be sent INLINE (Content-disposition: inline) 2. a secure level where all attachments are sent as downloads (Content-disposition: attachment) 3. an insecure level where attachments are sent INLINE (Content-disposition: inline) The current 'default level' blacklist approach needs to be swapped for a whitelist approach so as to keep up with future browser download behaviour changes. However, as a start it will use a blacklist approach.

            Dan Hodson added a comment -

            Thanks for the detailed information David. I'll pull down the master and have a review of the changes. Is there any reason why a whitelist approach wasn't taken for known good types to be inlined?

            Dan Hodson added a comment - Thanks for the detailed information David. I'll pull down the master and have a review of the changes. Is there any reason why a whitelist approach wasn't taken for known good types to be inlined?

            David Black added a comment -

            CVSS score: 6.5 => High severity

            Exploitability Metrics

            AccessVector Network
            AccessComplexity Low
            Authentication Single Instance

            Impact Metrics

            ConfImpact Partial
            IntegImpact Partial
            AvailImpact Partial

            See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

            David Black added a comment - CVSS score: 6.5 => High severity Exploitability Metrics AccessVector Network AccessComplexity Low Authentication Single Instance Impact Metrics ConfImpact Partial IntegImpact Partial AvailImpact Partial See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

            VitalyA added a comment -

            danh, git pull ?

            VitalyA added a comment - danh , git pull ?

            David Black added a comment -

            danh Yes we are already aware of this issue. What isn't in the code you are auditing are changes which are now in master and a release version soon which swap the code to use a blacklist approach which I'll describe below:

            Just a note before the approach is described:
            Attachment download requests in confluence-core/confluence/src/java/com/atlassian/confluence/servlet/download/AttachmentDownload.java now have the following headers set on all download responses:
            1. X-Content-Type-Options : nosniff
            2. X-Download-Options : noopenq

            Approach:

            Given a content-type check if it is found within a blacklist('executableContentTypes') of content-types like this:
            (note: the executableContentType come through as lower case)

                public boolean isExecutableContentType(final String contentType) {
        boolean isExecutableContentType = false;
        if (StringUtils.isBlank(contentType)) {
            return true;
        }

        for(String executableContentType : executableContentTypes) {
            if (contentType.toLowerCase(Locale.US).contains(executableContentType) ) {
                isExecutableContentType = true;
                break;
            }
        }
        return isExecutableContentType;
    }

            then the download is sent with a Content-Disposition:attachment header. The current blacklist list appears as follows: 

            text/html text/html-sandboxed text/xhtml application/xhtml+xml \
  text/xml application/xml text/xml-external-parsed-entity application/xml-external-parsed-entity application/xml-dtd \
  application/x-shockwave-flash image/svg+xml image/svg-xml application/futuresplash application/x-cab video/x-flv \
  application/octet-stream

            David Black added a comment - danh Yes we are already aware of this issue. What isn't in the code you are auditing are changes which are now in master and a release version soon which swap the code to use a blacklist approach which I'll describe below: Just a note before the approach is described: Attachment download requests in confluence-core/confluence/src/java/com/atlassian/confluence/servlet/download/AttachmentDownload.java now have the following headers set on all download responses: 1. X-Content-Type-Options : nosniff 2. X-Download-Options : noopenq Approach: Given a content-type check if it is found within a blacklist('executableContentTypes') of content-types like this: (note: the executableContentType come through as lower case) public boolean isExecutableContentType( final String contentType) { boolean isExecutableContentType = false ; if (StringUtils.isBlank(contentType)) { return true ; } for ( String executableContentType : executableContentTypes) { if (contentType.toLowerCase(Locale.US).contains(executableContentType) ) { isExecutableContentType = true ; break ; } } return isExecutableContentType; } then the download is sent with a Content-Disposition:attachment header. The current blacklist list appears as follows: text/html text/html-sandboxed text/xhtml application/xhtml+xml \ text/xml application/xml text/xml-external-parsed-entity application/xml-external-parsed-entity application/xml-dtd \ application/x-shockwave-flash image/svg+xml image/svg-xml application/futuresplash application/x-cab video/x-flv \ application/octet-stream

            Dan Hodson added a comment -

            Adding SVG file used in testing. The sample is not malicious and will just pop an alert box.

            Dan Hodson added a comment - Adding SVG file used in testing. The sample is not malicious and will just pop an alert box.

              Unassigned Unassigned
              f4e9401f9900 Dan Hodson
              Affected customers:
              0 This affects my team
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: