Multiple XSS & XSRF vulnerabilities

SEC Consult Vulnerability Lab Security Advisory < 20150409-0 >

=======================================================================

title: Multiple XSS & XSRF vulnerabilities

product: Comalatech Comala Workflows

vulnerable version: <= 4.6.1

fixed version: 4.6.2 for Confluence 5.4+ and 4.5.4 for Confluence 4.3+

impact: High

homepage: marketplace.atlassian.com/plugins/com.comalatech.workflow

found: 2015-02-16

by: J. Krautwald (Office Berlin)

M. Niederwieser (Office Vienna)

SEC Consult Vulnerability Lab

 

An integrated part of SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore

Vienna (HQ) - Vilnius - Zurich

 

www.sec-consult.com

=======================================================================

 

Vendor & product description:

-----------------------------

"Build your Confluence content your own way through Comala Workflows

approvals, tasks, notifications and workflows.

Set customized workflows to create, review, approve and publish your content.

Assign page reviewers

Create team tasks

Publish approved content

Manage your documentation stages

Use Comala Workflows for:

Quality Management, Standards Compliance, Technical Documentation,

Editorial Publishing"

 

Source: marketplace.atlassian.com/plugins/com.comalatech.workflow

 

 

Business recommendation:

------------------------

Comala Workflows suffers from multiple vulnerabilities due to improper input

and output validation. By exploiting these vulnerabilities an attacker could:

1. Attack other users of the web application with JavaScript code,

browser exploits or Trojan horses, or

2. perform unauthorized actions in the name of another logged-in user.

 

 

Vulnerability overview/description:

-----------------------------------

1. Multiple cross-site scripting issues

Comala Workflows suffers from multiple reflective & stored cross-site

scripting vulnerabilities, which allow an attacker to steal other user's

sessions, to impersonate other users and to gain unauthorized access to

documents hosted in the Confluence instance where the Workflows module is

embedded.

There are many parameters which are not properly sanitized and thus are

vulnerable to XSS.

 

2. Cross-site request forgery vulnerabilities

Comala Workflows does not implement the use of shared secrets (tokens)

to prevent cross-site request forgery (XSRF) attacks.

If an attacker is able to lure a user into clicking a crafted link or

by embedding such a link within web pages (e.g. discussion forums) he

could manipulate data or automatically inject XSS payloads to attack

other users.

 

 

Proof of concept:

-----------------

1. Multiple cross-site scripting issues

a) The input parameters for giving a workflow a name, appending a label to a

given workflow, or adding a new task for a given state are not properly

sanitized and thus susceptible to reflected cross-site scripting. The hereby

affected scripts alongside the vulnerable GET parameters are:

Script GET Parameter(s)

saveproperties.action newLabelName, newWorkflowName

newtask.action taskName

 

When editing an existing workflow via the Markup functionality (accessible via

the workflowMarkup POST parameter of

/plugins/approvalsworkflow/saveworkflowmarkup.action) the attachment-macro is

also susceptible to reflected cross-site scripting.

 

b) When editing an existing workflow via the Markup functionality (accessible

via the workflowMarkup POST parameter of

/plugins/approvalsworkflow/saveworkflowmarkup.action) the workflow element

task does not sanitize the given input and is thus susceptible to

cross-site scripting. The application does not sanitize the given input before

printing it to the "Page Activity" popup which leads to the execution of the

permanently injected script. When assigning such a task to a co-worker, an

e-mail containing the actual payload is sent to the assigned person and when

opening the "My Comala Workflow Tasks", "Page Activity", or

"Page Activity Macro" page, it gets executed.

 

2. Cross-site request forgery vulnerabilities

The /plugins/approvalsworkflow/saveworkflowmarkup.action script for editing

an existing workflow via the Markup functionality, for example, is susceptible

to cross-site request forgery. If an attacker knows a valid project name

(key parameter) and the corresponding workflow name (workflowName parameter),

she might exploit this vulnerability to set the Markup code of the workflow

to an arbitrary value (e.g. a XSS payload via the task element, see 1. b)).

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in up to and including

version 4.6.1.

 

 

Vendor contact timeline:

------------------------

2015-03-17: Contacted vendor through email

2015-03-18: Vendor confirmed vulnerabilities, offered workaround and said

they would fix the vulnerabilities asap

2015-04-08: Vendor released updated versions and advisory

2015-04-09: Coordinated release of security advisory

 

 

Solution:

---------

Upgrade Comala Workflows to version 4.6.2 for Confluence 5.4+ or

upgrade Comala Workflows to version 4.5.4 for Confluence 4.3+

 

See the following advisory by the vendor for further information:

wiki.comalatech.com/display/CW/Comala+Workflows+Security+Advisory+2015-04-08

 

 

Workaround:

-----------

Disable the legacy attachment and embed macros feature.

Disable page workflows.

Edit workflows to prevent tasks being created (taskable param on states).

Disable workflow tasks.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

 

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/contact/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF J. Krautwald / @2015