Uploaded image for project: 'Confluence Cloud'
  1. Confluence Cloud
  2. CONFCLOUD-54581

CreateSupportZipAction directory traversal

XMLWordPrintable

      There’s a directory traversal vulnerability in the CreateSupportZipAction action that allows a malicious user to include arbitrary log files into a support zip. This is because the SupportUtility object is marked as @ParameterSafe, and no validation is performed on its serverLogsDirectory path. This is only exploitable for containers that are not Tomcat.

      File: confluence-project\confluence-core\confluence\src\java\com\atlassian\confluence\admin\Actions\CreateSupportZipAction.java

      CreateSupportZipAction.java
      public class CreateSupportZipAction extends ViewSystemInfoAction implements FormAware
{
...
  private String supportZipLocation = "";
  private GateKeeper gateKeeper;
  private String downloadPath;
  private ConfluencePluginObjectFactory confluencePluginObjectFactory;
  private SupportUtility supportUtility;

  public String doDefault() throws Exception
  {
    getSupportUtility().setDefaults();
    return super.doDefault();
  }

  public void validate()
  {
    getSupportUtility().validate();
  }

  @ParameterSafe
  public SupportUtility getSupportUtility()
  {
    if (supportUtility == null)
    {
      String confluenceHomeDirectory = getBootstrapManager().getApplicationHome();
      String webInfClassesDirectory = ServletActionContext.getServletContext().getRealPath("WEB-INF/classes");
      supportUtility = new SupportUtility(this, confluenceHomeDirectory, webInfClassesDirectory);
    }
    return supportUtility;
  }

      File: confluence-project\confluence-core\confluence\src\java\com\atlassian\confluence\Util\SupportUtility.java

      SupportUtility.java
      public class SupportUtility implements Validateable
{
...
  public void validate()
  {
    if (!isTomcatServer() && includeServerLogs)
    {
      if (StringUtils.isBlank(serverLogsDirectory))
      {
        validationAware.addFieldError("serverLogsDirectory",
validationAware.getText("create.support.zip.error.no.log"));
      }
      else
      {
        File file = new File(serverLogsDirectory);
        if (!file.exists())
        {
          validationAware.addFieldError("serverLogsDirectory", validationAware.getText("create.support.zip.error.invalid.path"));
        }
      }
    }
  }

              alwang Alice Wang (Inactive)
              f4e9401f9900 Dan Hodson
              Affected customers:
              0 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: