Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
3.5
-
Description
There’s a directory traversal vulnerability in the CreateSupportZipAction action that allows a malicious user to include arbitrary log files into a support zip. This is because the SupportUtility object is marked as @ParameterSafe, and no validation is performed on its serverLogsDirectory path. This is only exploitable for containers that are not Tomcat.
File: confluence-project\confluence-core\confluence\src\java\com\atlassian\confluence\admin\Actions\CreateSupportZipAction.java
CreateSupportZipAction.java
public class CreateSupportZipAction extends ViewSystemInfoAction implements FormAware { ... private String supportZipLocation = ""; private GateKeeper gateKeeper; private String downloadPath; private ConfluencePluginObjectFactory confluencePluginObjectFactory; private SupportUtility supportUtility; public String doDefault() throws Exception { getSupportUtility().setDefaults(); return super.doDefault(); } public void validate() { getSupportUtility().validate(); } @ParameterSafe public SupportUtility getSupportUtility() { if (supportUtility == null) { String confluenceHomeDirectory = getBootstrapManager().getApplicationHome(); String webInfClassesDirectory = ServletActionContext.getServletContext().getRealPath("WEB-INF/classes"); supportUtility = new SupportUtility(this, confluenceHomeDirectory, webInfClassesDirectory); } return supportUtility; }
File: confluence-project\confluence-core\confluence\src\java\com\atlassian\confluence\Util\SupportUtility.java
SupportUtility.java
public class SupportUtility implements Validateable { ... public void validate() { if (!isTomcatServer() && includeServerLogs) { if (StringUtils.isBlank(serverLogsDirectory)) { validationAware.addFieldError("serverLogsDirectory", validationAware.getText("create.support.zip.error.no.log")); } else { File file = new File(serverLogsDirectory); if (!file.exists()) { validationAware.addFieldError("serverLogsDirectory", validationAware.getText("create.support.zip.error.invalid.path")); } } } }
