Details
-
Bug
-
Resolution: Fixed
-
Medium
-
5.0-OD-7, 5.0
-
None
-
5
-
Description
NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.
There is an arbitrary resource file download vulnerability triggered by a third party library org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.
The urlrewrite.xml rules file shows the pattern that will trigger a <to type="forward"> forward rule, which is the equivelant of performing dp = request.getServletContext().getRequestDispatcher(resource); dp.forward(request, response);. This construct allows a user to forward requests to any resource file on the server, such as /WEB-INF/web.xml - which could potentially contain sensitive information like usernames and passwords.
web.xml
...
<!-- this filter is used to rewrite through the /s/* filter to add caching headers. see: urlrewrite.xml -->
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
urlrewrite.xml
...
<rule>
<from>^/s/(.*)/_/([^\?]*).*</from>
<run class="com.atlassian.plugin.servlet.ResourceDownloadUtils" method="addPublicCachingHeaders" />
<to type="forward">/$2</to>
</rule>
</urlrewrite>
The attached screenshot shows this issue being exploited. It's recommended addPublicCachingHeaders be implemented without the vulnerable library until a patch is available.
Attachments
Issue Links
- is related to
-
-
- Closed
-
- relates to
-
-
- Closed
-
