Details
-
Bug
-
Resolution: Fixed
-
Low
-
5.2.4
-
None
-
4
-
Description
To reproduce:
1. Create a new page (title doesn't matter).
2. Insert an image with URL:
/confluence/images/icons/profilepics/../../../WEB-INF/classes/crowd.properties
with /confluence/ replaced with the correct base path.
(Edit the page, click +, click Image, select the From the Web tab, enter the path shown above, click Insert, click Save)
3. Export to word (view the page, click "Tools", click "Export to Word")
4. View the file as plain text (the contents of crowd.properties appear near the end)
IconDownloadResourceManager handles the export of this URL. The traversal occurs in IconDownloadResourceManager.java, lines 23-25. While this attack could be prevented at the ExportWordPageServer layer, IconDownloadResourceManager should definitely be fixed as there are other paths to this code which may be vulnerable.
This allows access to any resource file, which includes sensitive configuration information (like the crowd password, or the home directory path). It does not allow access to most files.
Attachments
Issue Links
- is related to
-
CONFSERVER-30797 Resource file path traversal in WebImagesDownloadResourceManager
- Closed