-
Bug
-
Resolution: Fixed
-
Highest
-
2.10
-
None
-
Stand-alone 3.0.0_01, JDK 1.5.0_18-b02 on Ubuntu 9.04
Stand-alone 2.10.2, JDK 1.5.0_17-b04 on RHEL 4 AS
Confluence allows its users to specify a "Profile Picture," an image that appears on many pages related to the user. A user can either upload a custom image, or select one from a set provided by Confluence. Confluence uses the /users/doeditmyprofilepicture.action path to process requests to change a user's Profile Picture.
The doeditmyprofilepicture.action hander does not sufficiently validate the contents of the userProfilePictureName parameter, however. While Confluence does check the parameter to ensure that it begins with "/images/icons/profilepics/", which is the path to the built-in set of images, it does not reject ".." and similar strings. As a result, a user can use directory traversal to specify any URL on the Confluence web server as his or her Profile Picture.
Many (all?) Confluence administrative tasks can be accomplished using GET requests, so there are URLs on the Confluence web server that correspond to many administrative tasks. For example, this path:
/admin/users/adduserstogroup.action?usersToAdd=joeschmo&membersOfGroupTerm=confluence-administrators
Adds user joeschmo to the Confluence administrators group.
In order for an attacker to gain administrative access, then, all he or she must do it specify the appropriate adduserstogroup.action URL as a Profile Picture, and wait for an administrator to view a page that displays the Profile Picture. It should not be a very long wait, since many pages fit that description.
While Confluence 3.0 does not fix the validation of the userProfilePictureName parameter to doeditmyprofilepicture.action, it does
contain cross-site request forgery protection that makes exploiting it much more difficult.
All requests that actually "do things" require an additional parameter called atl_token, which is randomly generated and tied to a specific session. Without knowledge of their values for this parameter, it is not possible to cause other users to carry out actions when viewing a page with your Profile Picture.
See also a draft security advisory I would eventually like to release:
[CONFSERVER-16141] Directory traversal in Profile Picture path - leads to privilege escalation in < 3.0
| Workflow | Original: JAC Bug Workflow v3 [ 2897203 ] | New: CONFSERVER Bug Workflow v4 [ 2990194 ] |
| Workflow | Original: JAC Bug Workflow v2 [ 2788872 ] | New: JAC Bug Workflow v3 [ 2897203 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Workflow | Original: JAC Bug Workflow [ 2719380 ] | New: JAC Bug Workflow v2 [ 2788872 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2388093 ] | New: JAC Bug Workflow [ 2719380 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 [ 2264621 ] | New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2388093 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2208275 ] | New: Confluence Workflow - Public Facing - Restricted v5 [ 2264621 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2188908 ] | New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2208275 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 [ 1918447 ] | New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2188908 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v3 [ 1727960 ] | New: Confluence Workflow - Public Facing - Restricted v5 [ 1918447 ] |
| Workflow | Original: CONF Bug Subtask WF (TEMP) [ 1684357 ] | New: Confluence Workflow - Public Facing - Restricted v3 [ 1727960 ] |
