Details
-
Bug
-
Resolution: Fixed
-
Low
-
5.2.4
-
None
-
4
-
Description
To reproduce:
1. Create a new page named foo (any name can be used, but it must match the markup in step 3)
2. In the editor, create an unmigrated-wiki-markup macro by typing "{a}" (don't copy/paste)
3. Replace the "{a}" in the macro with:
[foo|foo|"><img src="/confluence/images/../WEB-INF/classes/crowd.properties">]
4. Save the page.
5. Export to word (view the page, click "Tools", click "Export to Word")
6. View the file as plain text (the contents of crowd.properties appears near the end)
WebImagesDownloadResourceManager handles the export of this URL. The traversal occurs in WebImagesDownloadResourceManager.java, lines 29-30 and 57. WebImagesDownloadResourceManager should definitely be fixed as there are other paths to this code which may be vulnerable. There is also an escaping bug in ExportWordPageServer.java, line 639 which makes this attack much easier. While that escaping bug isn't a security vulnerability, it should also be fixed. (This bug may also exist in the "href" attribute - I'm not sure).
Impact
This allows access to any resource file, which includes sensitive configuration information (like the crowd password, or the home directory path). It does not allow access to most files.
Attachments
Issue Links
- relates to
-
-
- Closed
-