Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-30796

Resource file path traversal in IconDownloadResourceManager

    XMLWordPrintable

Details

    Description

      To reproduce:
      1. Create a new page (title doesn't matter).
      2. Insert an image with URL:

      /confluence/images/icons/profilepics/../../../WEB-INF/classes/crowd.properties

      with /confluence/ replaced with the correct base path.
      (Edit the page, click +, click Image, select the From the Web tab, enter the path shown above, click Insert, click Save)
      3. Export to word (view the page, click "Tools", click "Export to Word")
      4. View the file as plain text (the contents of crowd.properties appear near the end)

      IconDownloadResourceManager handles the export of this URL. The traversal occurs in IconDownloadResourceManager.java, lines 23-25. While this attack could be prevented at the ExportWordPageServer layer, IconDownloadResourceManager should definitely be fixed as there are other paths to this code which may be vulnerable.

      This allows access to any resource file, which includes sensitive configuration information (like the crowd password, or the home directory path). It does not allow access to most files.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-30797 Resource file path traversal in WebImagesDownloadResourceManager

          • Low - Low priority issues
          • Closed

          Activity

            People

              kfchong KaiA
              djohnson@atlassian.com Dougall Johnson
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: