Access Restriction Bypass

SEC Consult Vulnerability Lab Security Advisory < 20170613-0 >

=======================================================================

title: Access Restriction Bypass

product: Atlassian Confluence

vulnerable version: 4.3.0 - 6.1.1

fixed version: 6.2.1

CVE number: -

impact: Medium

homepage: www.atlassian.com

found: 2017-03-27

by: Mathias Frank (Office Vienna)

SEC Consult Vulnerability Lab

 

An integrated part of SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 

www.sec-consult.com

 

=======================================================================

 

Vendor description:

-------------------

"In 2002, our founders, Scott Farquhar and Mike Cannon-Brookes, set

conventional wisdom on its ear by launching a successful enterprise

software company with no sales force. From Australia. Our first product, JIRA,

proved that if you make a great piece of software, price it right, and make

it available to anyone to download from the internet, teams will come. And

they'll build great things with it. And they'll tell two friends, and so on,

and so on.

Today a lot has changed. We're over 1,700 Atlassians (and growing), in six

locations, with products to help all types of teams realize their visions and

get stuff done. But the fundamentals remain the same. We're for teams because

we believe that great teams can do amazing things. We're not afraid to do

things differently. And we're driven by an inspiring set of values that shape

our culture and our products for the better."

 

Source: www.atlassian.com/company

 

 

Business recommendation:

------------------------

SEC Consult recommends to upgrade to the latest version available which fixes

the identified issue.

 

 

Vulnerability overview/description:

-----------------------------------

1) Access Restriction Bypass

The "watch" functionality provides a user the option to subscribe to specific

content. Furthermore, the user gets a notification for any new comment made to the

previously subscribed content.

 

A user can manually subscribe to pages which he is not able to view and he then

receives any further comment made on the restricted page.

 

 

Proof of concept:

-----------------

1) Access Restriction Bypass

Prerequisite as admin user just for a proof of concept demo page:

* Create a Space "Demo Space" visible for every user and group

* Create a Page "Demo Page" (example pageID: 1048582) and restrict the

"Viewing and editing restriction" to only the administrator group/user with

the "/pages/getcontentpermissions.action" function.

 

 

Send the following request as user:

------------------------------------------------------------------------------

POST /users/addpagenotificationajax.action HTTP/1.1

Host: localhost:8090

Referer: localhost/display/ds/Welcome+to+Confluence

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

[...]

 

pageId=1048582&atl_token=1b5ee6615c44e4067679ccfa6e5904f0e42e8eb7

------------------------------------------------------------------------------

 

Then the user is subscribed to the "Demo Page" and receives a notification and is

able to receive any further comments made on the subscribed page.

 

 

Vulnerable / tested versions:

-----------------------------

The following version has been tested by SEC Consult

Atlassian Confluence version 5.9.14 and 6.1.1

 

Atlassian believes that versions beginning from 4.3.0 before 6.2.1 are affected.

 

 

Vendor contact timeline:

------------------------

2017-04-03: Contacting vendor through security@atlassian.com

2017-04-05: Vendor confirmed the vulnerability and issued the references

CONFSERVER-52241 (Confluence Server) and CONFCLOUD-54634 (Confluence Cloud)

2017-04-13: Vendor fixed the issue CONFCLOUD-54634.

2017-05-11: Asked for planned timeline and release of an fix for CONFSERVER-52241.

2017-05-29: Vendor released a fix for CONFSERVER-52241 with version 6.2.1.

2017-06-08: Vendor prepares a sanitised copy of CONFSERVER-52241 for release along

with the advisory - jira.atlassian.com/browse/CONFSERVER-52560

2017-06-13: Public release of advisory.

 

 

Solution:

---------

Upgrade to version 6.2.1 available at: www.atlassian.com/software/confluence/download

The effectiveness of the fix was verified by the SEC Consult Vulnerability Lab.

 

jira.atlassian.com/browse/CONFSERVER-52560

 

 

Workaround:

-----------

Disable workbox notifications as per the instructions found at

confluence.atlassian.com/doc/configuring-workbox-notifications-301663830.html

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

SEC Consult Vulnerability Lab

 

SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/en/Career.htm

 

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/en/About/Contact.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF Mathias Frank / @2017