-
Bug
-
Resolution: Fixed
-
Highest
-
2.10
-
None
-
Stand-alone 3.0.0_01, JDK 1.5.0_18-b02 on Ubuntu 9.04
Stand-alone 2.10.2, JDK 1.5.0_17-b04 on RHEL 4 AS
Confluence allows its users to specify a "Profile Picture," an image that appears on many pages related to the user. A user can either upload a custom image, or select one from a set provided by Confluence. Confluence uses the /users/doeditmyprofilepicture.action path to process requests to change a user's Profile Picture.
The doeditmyprofilepicture.action hander does not sufficiently validate the contents of the userProfilePictureName parameter, however. While Confluence does check the parameter to ensure that it begins with "/images/icons/profilepics/", which is the path to the built-in set of images, it does not reject ".." and similar strings. As a result, a user can use directory traversal to specify any URL on the Confluence web server as his or her Profile Picture.
Many (all?) Confluence administrative tasks can be accomplished using GET requests, so there are URLs on the Confluence web server that correspond to many administrative tasks. For example, this path:
/admin/users/adduserstogroup.action?usersToAdd=joeschmo&membersOfGroupTerm=confluence-administrators
Adds user joeschmo to the Confluence administrators group.
In order for an attacker to gain administrative access, then, all he or she must do it specify the appropriate adduserstogroup.action URL as a Profile Picture, and wait for an administrator to view a page that displays the Profile Picture. It should not be a very long wait, since many pages fit that description.
While Confluence 3.0 does not fix the validation of the userProfilePictureName parameter to doeditmyprofilepicture.action, it does
contain cross-site request forgery protection that makes exploiting it much more difficult.
All requests that actually "do things" require an additional parameter called atl_token, which is randomly generated and tied to a specific session. Without knowledge of their values for this parameter, it is not possible to cause other users to carry out actions when viewing a page with your Profile Picture.
See also a draft security advisory I would eventually like to release:
[CONFSERVER-16141] Directory traversal in Profile Picture path - leads to privilege escalation in < 3.0
Elliot Kendall
added a comment - Can you please hold of publicizing your advisory until we release 3.0? Although there is no set date for 3.0.1 release we are hoping that it will be out in 3 to 4 weeks.
Sure, no problem. I will be in touch again in 4 weeks if I don't hear anything by then.
Elliot Kendall
added a comment -
Can you please hold of publicizing your advisory until we release 3.0? Although there is no set date for 3.0.1 release we are hoping that it will be out in 3 to 4 weeks.
Sure, no problem. I will be in touch again in 4 weeks if I don't hear anything by then. So what next? I presume you're going to make an official 2.10.x release including the patch?
As per our security policy we will release a security advisory(which will reference/credit you) describing this bug and open up this issue so that people can download the patch. We only release new versions of current stable branch thus there will be no new version for 2.10.x.
We try to give our customers advanced warning so that they can schedule a maintenance window for patching/upgrading. In this case we would like to release the advisory with the release of 3.0.1 and issue an advance warning one or two weeks prior to that. There are other security issues that we are fixing right now and they will be included in 3.0.1. Can you please hold of publicizing your advisory until we release 3.0? Although there is no set date for 3.0.1 release we are hoping that it will be out in 3 to 4 weeks.
Elliot Kendall
added a comment - That patch works perfectly as far as I can tell - I'm not able to make it behave in any unexpected ways, other than picking, say, readme.txt as my Profile Picture. Nice work.
Of course, that also means that I can't use a transparent Profile Picture any more 
So what next? I presume you're going to make an official 2.10.x release including the patch?
Elliot Kendall
added a comment - That patch works perfectly as far as I can tell - I'm not able to make it behave in any unexpected ways, other than picking, say, readme.txt as my Profile Picture. Nice work.
Of course, that also means that I can't use a transparent Profile Picture any more
So what next? I presume you're going to make an official 2.10.x release including the patch? Elliot Kendall
added a comment - Thanks for the quick response! If only all companies were as pleasant to work with on vulnerability research.
Anyway, I'm afraid your patch doesn't work quite right. From what I can tell, it simply rejects strings containing a / character after the initial /images/icons/profilepics/. However, with some fancy escaping, you can get around the restriction. For example, this will still set your profile picture to /download/attachments/4293261/tux.png:
https://
{HOST}/users/doeditmyprofilepicture.action?userProfilePictureName=/images/icons/profilepics/..%26%2347;..%26%2347;..%26%2347;download%26%2347;attachments%26%2347;4293261%26%2347;tux.png
Elliot Kendall
added a comment - Thanks for the quick response! If only all companies were as pleasant to work with on vulnerability research.
Anyway, I'm afraid your patch doesn't work quite right. From what I can tell, it simply rejects strings containing a / character after the initial /images/icons/profilepics/. However, with some fancy escaping, you can get around the restriction. For example, this will still set your profile picture to /download/attachments/4293261/tux.png:
https://
{HOST}
/users/doeditmyprofilepicture.action?userProfilePictureName=/images/icons/profilepics/..%26%2347;..%26%2347;..%26%2347;download%26%2347;attachments%26%2347;4293261%26%2347;tux.png Hi Elliot,
We have verified that this is indeed a critical vulnerability. Very well discovered, thanks.
Attached is the patch for confluence 2.10.x. To apply the patch you will need to extract the content of the zip archive into <confluence>/WEB-INF/classes directory and restart the server.
The changes to validation code will also be applied to confluence 3.0 and the new minor version will be released. Since confluence 3.0 is not exploitable by this vulnerability the next maintenance release will not be released immediately.
Anatoli
Hi Elliot,
Thanks for reporting this bug. It does sound like a critical vulnerability and we will be fixing it ASAP (according to our security policy. We will comment again once we investigate further, meanwhile we will ask you not to publicize you security advisory until we create a patch for affected customers.
Thanks.
Anatoli.
For consistency, removing the 3.1 version, as this was fixed in 3.0.1