[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVE-ID REQUEST] Atlassian Confluence - Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities

To: "'cve@xxxxxxxxx'" <cve@xxxxxxxxx>, "'bugtraq@xxxxxxxxxxxxxxxxx'" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: [CVE-ID REQUEST] Atlassian Confluence - Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities
From: Robert Gilbert <rgilbert@xxxxxxxxxx>
Date: Thu, 20 Sep 2012 01:43:38 +0000

Product: Confluence
Vendor: Atlassian
Version: 3.0 / Current
Tested Version: 3.4.6
Vendor Notified Date: June 31, 2011
Release Date: September 19, 2012
Risk: Medium
Authentication: Depends on configuration.
Remote: Yes

Description: 
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Confluence 3.0 
and below allow remote attackers to submit actions on their behalf. Newer 
versions may also be vulnerable.
Pages that allow a potential attacker to add images (such as in the comments 
sections) allow CSRF. By not properly checking each URL, an attacker can 
execute requests on behalf of a legitimate user. 
As a proof-of-concept,  a comment is added to a page which includes the logout 
URL inside the wiki markup image tags. Whenever anyone visits that page they 
are automatically logged out because the page attempts to load the image and 
executes the 'src=url'. This comment can be added to anyone's profile, which 
would force them to be logged out the moment they login. This can be used for 
more complex attacks too but going beyond the POC was not necessary.

Exploit POC:
1. Add comment.
2. !http://pwndshop.com/logout.action|border=1!

Vendor Notified: Yes
Vendor Response: Requested time to resolve.
Vendor Update: 1.5 years later, marked as "Resolution: Won't Fix"

Reference: 
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Credit:
Robert Gilbert
Senior Consultant
HALOCK Security Labs, Purpose Driven Security(tm)
rgilbert [-at-] halock [-dot-] com 
http://www.halock.com
http://blog.halock.com


Note: This message (including any attachments) is intended only for the use of 
the individual or entity to which it is addressed and may contain information 
that is non-public, proprietary, privileged, and/or confidential. If you are 
not the intended recipient, you are hereby notified that any use, 
dissemination, distribution, or copying of this communication is strictly 
prohibited. If you have received this communication in error, please notify us 
immediately by telephone and delete this message immediately.

Prev by Date: GreHack 2012 - 19th Oct. Grenoble, France - Conference + CTF - Call For [ Participation, Student Grants Application, Music Bands/Artists/DJ ]
Next by Date: [Announcement] ClubHack Magazine's Sept 2012 Issue Out
Previous by thread: GreHack 2012 - 19th Oct. Grenoble, France - Conference + CTF - Call For [ Participation, Student Grants Application, Music Bands/Artists/DJ ]
Next by thread: [Announcement] ClubHack Magazine's Sept 2012 Issue Out
Index(es):
- Date
- Thread