Medium In confluence-core/confluence/src/java/com/atlassian/confluence/links/DefaultReferralManager.java the DefaultReferralManager class the deleteReferrersWithPrefix method is vulnerable to sql injection through the user controlled 'prefix' parameter. It is possible to exploit this issue as an Admin user through the 'Manage Referrers' admin resource by adding a 'Referrer URL Prefix' which contains ' followed by some sql and then selecting 'purge' or 'delete' on the given URL prefix.
The vulnerable code appears as follows:
/**
* potential for mass deletes in this operation. more efficient to use direct jdbc than to do it through hibernate
*
* @param prefix
*/
public int deleteReferrersWithPrefix(String prefix)
{
Session session = SessionFactoryUtils.getSession(sessionFactory, true);
int totalLinksPurged = 0;
PreparedStatement ps = null;
ResultSet rs = null;
try
{
Connection c = session.connection();
String mysql = "select count(*) from EXTRNLNKS where URL LIKE '" + prefix + "%'";
ps = c.prepareStatement(mysql);
rs = ps.executeQuery();
rs.next();
totalLinksPurged = rs.getInt(1);
mysql = "delete from EXTRNLNKS where URL LIKE '" + prefix + "%'";
ps = c.prepareStatement(mysql);
ps.execute();
//clear hibernate caches, since we used direct jdbc above to be consistent
sessionFactory.evictQueries();
sessionFactory.evict(ReferralLink.class);
}
catch (HibernateException e)
{
log.error("Can't delete referrer with prefix: "+ prefix, e);
}
catch (SQLException e)
{
log.error("Can't delete referrer with prefix: "+ prefix, e);
}
finally
{
JDBCUtils.close(rs);
JDBCUtils.close(ps);
}