Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-26799

SQL injection in DefaultReferralManager

XMLWordPrintable

      In confluence-core/confluence/src/java/com/atlassian/confluence/links/DefaultReferralManager.java the DefaultReferralManager class the deleteReferrersWithPrefix method is vulnerable to sql injection through the user controlled 'prefix' parameter. It is possible to exploit this issue as an Admin user through the 'Manage Referrers' admin resource by adding a 'Referrer URL Prefix' which contains ' followed by some sql and then selecting 'purge' or 'delete' on the given URL prefix.

      The vulnerable code appears as follows:

      
          /**
           * potential for mass deletes in this operation. more efficient to use direct jdbc than to do it through hibernate
           *
           * @param prefix
           */
          public int deleteReferrersWithPrefix(String prefix)
          {
              Session session = SessionFactoryUtils.getSession(sessionFactory, true);
              int totalLinksPurged = 0;
              PreparedStatement ps = null;
              ResultSet rs = null;
      
              try
              {
                  Connection c = session.connection();
      
                  String mysql = "select count(*) from EXTRNLNKS where URL LIKE '" + prefix + "%'";
      
                  ps = c.prepareStatement(mysql);
                  rs = ps.executeQuery();
                  rs.next();
                  totalLinksPurged = rs.getInt(1);
      
                  mysql = "delete from EXTRNLNKS where URL LIKE '" + prefix + "%'";
      
                  ps = c.prepareStatement(mysql);
                  ps.execute();
                  
                  //clear hibernate caches, since we used direct jdbc above to be consistent
                  sessionFactory.evictQueries();
                  sessionFactory.evict(ReferralLink.class);
              }
              catch (HibernateException e)
              {
                  log.error("Can't delete referrer with prefix: "+ prefix, e);
              }
              catch (SQLException e)
              {
                  log.error("Can't delete referrer with prefix: "+ prefix, e);
              }
              finally
              {
                  JDBCUtils.close(rs);
                  JDBCUtils.close(ps);
              }
      
      

              jhoarau Julien Michel Hoarau (Inactive)
              dblack David Black
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: