The following URL is vulnerable to Insecure Direct Object Reference, allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence.

      http://<server>/spaces/viewdefaultdecorator.action?decoratorName=<FILE>
      http://<server>/admin/viewdefaultdecorator.action?decoratorName=<FILE>

      Where <FILE> any file readable by the user who runs the Confluence instance is accessible through Confluence itself.

      PoC URL:
      http://<server>/spaces/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml
      http://<server>/admin/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml

      This has been verified in confluence 5.9.1, 5.8.15, and 5.8.14

      Workarounds

      • Do not run Confluence as root/administrator. We always recommend creating a dedicated user account to run Atlassian products. You can limit the impact of this bug by restricting what the app user account can access.
      • Block URLs that match this pattern using proxy or load balancer rules.

            [CONFSERVER-39704] Insecure Direct Object Reference

            Sorry for my ignorance but where is this change made at? We are also not able to upgrade just yet.

            Bryan Jorgensen added a comment - Sorry for my ignorance but where is this change made at? We are also not able to upgrade just yet.

            Chuck Solie added a comment - - edited

            For anyone else with this issue, I have put a apache config change in place to block access, from our access logs i don't see other requests that use the decoratorName query string.

                    # CVE-2015-8399 2016-08-16
                    RewriteCond %{QUERY_STRING} decoratorName(=|%3D).* [NC]
                    RewriteRule ^(.*)$ - [F,L]
            

            Chuck Solie added a comment - - edited For anyone else with this issue, I have put a apache config change in place to block access, from our access logs i don't see other requests that use the decoratorName query string. # CVE-2015-8399 2016-08-16 RewriteCond %{QUERY_STRING} decoratorName(=|%3D).* [NC] RewriteRule ^(.*)$ - [F,L]

            Minh,

            Thanks for responding, I am working on upgrading to 5.9, but cannot do so immediately and this needs to be fixed on my side quickly. Confluence 5.9 has a significant problem with content indexing CONF-41030, and all our plugins will have to be tested against it after upgrading the DB. Can you provide a short-term workaround?

            Thanks,

            -chuck

            Chuck Solie added a comment - Minh, Thanks for responding, I am working on upgrading to 5.9, but cannot do so immediately and this needs to be fixed on my side quickly. Confluence 5.9 has a significant problem with content indexing CONF-41030 , and all our plugins will have to be tested against it after upgrading the DB. Can you provide a short-term workaround? Thanks, -chuck

            Minh Tran added a comment -

            Dear chuck.solie175462723,

            This bug is already fixed against versions 5.7.6, 5.8.17, 5.9.1. Please upgrade your Confluence to have the fix

            Best regards,
            Minh Tran
            Confluence BugMaster
            Atlassian

            Minh Tran added a comment - Dear chuck.solie175462723 , This bug is already fixed against versions 5.7.6, 5.8.17, 5.9.1. Please upgrade your Confluence to have the fix Best regards, Minh Tran Confluence BugMaster Atlassian

            Hi,

            I'm puzzled by the first workaround. It says "Do not run Confluence as root/administrator. We always recommend creating a dedicated user account to run Atlassian products. You can limit the impact of this bug by restricting what the app user account can access."

            I am running confluence as a non privileged user (tomcat), and see this vulnerability on both authenticated and anonymous requests.

            For those that can not immediately upgrade, can you provide a implementable workaround?

            1) What are appropriate ownership and permissions for the confluence/WEB-INF/classes/ files as they have to be readable by tomcat.

            2) What specific URI patterns should be blocked on the proxy / front end?

            Thanks!

            Chuck Solie added a comment - Hi, I'm puzzled by the first workaround. It says "Do not run Confluence as root/administrator. We always recommend creating a dedicated user account to run Atlassian products. You can limit the impact of this bug by restricting what the app user account can access." I am running confluence as a non privileged user (tomcat), and see this vulnerability on both authenticated and anonymous requests. For those that can not immediately upgrade, can you provide a implementable workaround? 1) What are appropriate ownership and permissions for the confluence/WEB-INF/classes/ files as they have to be readable by tomcat. 2) What specific URI patterns should be blocked on the proxy / front end? Thanks!

            The description says "allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence."

            This seems to be misleading, at least in the case of Confluence 5.5.7. We have a Confluence instance that is configured to permit anonymous access, and even unauthenticated users can access private content using the format "http://<server>/spaces/viewdefaultdecorator.action?decoratorName=<FILE>".

            Scott Dudley [Inactive] added a comment - The description says "allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence." This seems to be misleading, at least in the case of Confluence 5.5.7. We have a Confluence instance that is configured to permit anonymous access, and even unauthenticated users can access private content using the format "http://<server>/spaces/viewdefaultdecorator.action?decoratorName=<FILE>".

            I see that this issue has a label "CVE-2015-8399". That CVE is reserved but has no content:

            http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8399

            Atlassian, should you not now be updating that CVE? For completeness....

            Mark Symons added a comment - I see that this issue has a label "CVE-2015-8399". That CVE is reserved but has no content: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8399 Atlassian, should you not now be updating that CVE? For completeness....

            Minh Tran added a comment -

            Dear All,

            For anyone is using Confluence version 5.7.x, please upgrade to 5.7.6 to have this fix
            If you have any kind of questions, please let me know

            Best regards,
            Minh Tran
            Confluence BugMaster
            Atlassian

            Minh Tran added a comment - Dear All, For anyone is using Confluence version 5.7.x, please upgrade to 5.7.6 to have this fix If you have any kind of questions, please let me know Best regards, Minh Tran Confluence BugMaster Atlassian

            Minh Tran added a comment -

            Dear ddvandenberg1559344819,

            This issue is included in https://confluence.atlassian.com/display/DOC/Confluence+5.8.17+Release+Notes not in 5.8.14
            So please upgrade it to 5.8.17 to have the fix

            Best regards,
            Minh Tran
            Confluence BugMaster
            Atlassian

            Minh Tran added a comment - Dear ddvandenberg1559344819 , This issue is included in https://confluence.atlassian.com/display/DOC/Confluence+5.8.17+Release+Notes not in 5.8.14 So please upgrade it to 5.8.17 to have the fix Best regards, Minh Tran Confluence BugMaster Atlassian

            But it's still not a answer to my question? Why is this didn't add to the release notes?

            Danny van den Berg added a comment - But it's still not a answer to my question? Why is this didn't add to the release notes?

              mtran@atlassian.com Minh Tran
              fa1767dc8cc8 Sebastian Perez
              Affected customers:
              0 This affects my team
              Watchers:
              22 Start watching this issue

                Created:
                Updated:
                Resolved: