32fc589910
8 new exploits xine-lib 1.1.12 - NSF demuxer Stack Overflow (PoC) Xine-Lib 1.1.12 - NSF demuxer Stack Overflow (PoC) 3Com OfficeConnect Routers - Denial of Service (Content-Type) 3Com OfficeConnect Routers - (Content-Type) Denial of Service xine-lib 1.1.9 - 'rmff_dump_cont()' Remote Heap Buffer Overflow Xine-Lib 1.1.9 - 'rmff_dump_cont()' Remote Heap Buffer Overflow World Of Warcraft 3.3.5a (macros-cache.txt) - Stack Overflow World Of Warcraft 3.3.5a - 'macros-cache.txt' Stack Overflow Divx Player - Denial of Service Divx Player 6.8.2 - Denial of Service Microsoft Word (Win/Mac) - Crash (PoC) Microsoft Word (Windows/OSX) - Crash (PoC) TP-LINK TDDP - Multiple Vulnerabilities Microsoft Internet Explorer 8 MSHTML - 'Ptls5::LsFindSpanVisualBoundaries' Memory Corruption Office 2008 sp0 - RTF pFragments MAC Exploit Microsoft Office 2008 SP0 (Mac) - RTF pFragments Exploit Huawei UTPS - Unquoted Service Path Privilege Escalation xine-lib 1.1 - (media player library) Remote Format String Xine-Lib 1.1 - (media player library) Remote Format String Office Viewer ActiveX Control 3.0.1 - (Save) Remote File Overwrite Office Viewer ActiveX Control 3.0.1 - 'Save' Remote File Overwrite 3Com OfficeConnect Secure Router 1.04-168 - Tk Parameter Cross-Site Scripting 3Com OfficeConnect Secure Router 1.04-168 - 'Tk' Parameter Cross-Site Scripting xine-lib - Multiple Heap Based Remote Buffer Overflow Vulnerabilities Xine-Lib 1.1.11 - Multiple Heap Based Remote Buffer Overflow Vulnerabilities Crestron AM-100 - Multiple Vulnerabilities Linux/x86-64 - /bin/sh -c reboot Shellcode (89 bytes) Simple Machines Forum 1.0.4 - (modify) SQL Injection Simple Machines Forum (SMF) 1.0.4 - 'modify' SQL Injection PHP-Fusion 6.00.109 - (msg_send) SQL Injection PHP-Fusion 6.00.109 - 'msg_send' Parameter SQL Injection PHP-Fusion 6.00.3 - (rating) Parameter SQL Injection PHP-Fusion 6.00.3 - 'rating' Parameter SQL Injection PHP-Fusion 6.00.306 - (srch_where) SQL Injection PHP-Fusion 6.00.306 - 'srch_where' Parameter SQL Injection Simple Machines Forum 1.1 rc2 (Windows) - (lngfile) Remote Exploit Simple Machines Forum (SMF) 1.1 rc2 (Windows) - 'lngfile' Remote Exploit Simple Machines Forum 1.1 rc2 - Lock Topics Remote Exploit Simple Machines Forum (SMF) 1.1 rc2 - Lock Topics Remote Exploit AllMyGuests 0.4.1 - (cfg_serverpath) Remote File Inclusion AllMyGuests 0.4.1 - 'cfg_serverpath' Parameter Remote File Inclusion Virtual Law Office - (phpc_root_path) Remote File Inclusion Virtual Law Office - 'phpc_root_path' Remote File Inclusion AllMyGuests 0.3.0 - (AMG_serverpath) Remote File Inclusion AllMyGuests 0.3.0 - 'AMG_serverpath' Parameter Remote File Inclusion Simple Machines Forum 1.1.3 - Blind SQL Injection Simple Machines Forum (SMF) 1.1.3 - Blind SQL Injection BosClassifieds 3.0 - (index.php cat) SQL Injection BosNews 4.0 - (article) SQL Injection BosClassifieds 3.0 - 'index.php' SQL Injection BosNews 4.0 - 'article' Parameter SQL Injection Classifieds Caffe - 'index.php cat_id' SQL Injection Classifieds Caffe - 'cat_id' Parameter SQL Injection carbon communities 2.4 - Multiple Vulnerabilities XplodPHP AutoTutorials 2.1 - 'id' SQL Injection Carbon Communities 2.4 - Multiple Vulnerabilities XplodPHP AutoTutorials 2.1 - 'id' Parameter SQL Injection Grape Statistics 0.2a - (location) Remote File Inclusion 5th Avenue Shopping Cart - 'category_id' SQL Injection Grape Statistics 0.2a - 'location' Parameter Remote File Inclusion 5th Avenue Shopping Cart - 'category_id' Parameter SQL Injection PhShoutBox 1.5 - (final) Insecure Cookie Handling Simple Customer 1.2 - (contact.php id) SQL Injection AllMyGuests 0.4.1 - (AMG_id) SQL Injection PhShoutBox 1.5 - Insecure Cookie Handling Simple Customer 1.2 - 'contact.php' SQL Injection AllMyGuests 0.4.1 - 'AMG_id' Parameter SQL Injection Simple Machines Forum 1.1.4 - SQL Injection Simple Machines Forum (SMF) 1.1.4 - SQL Injection virtual support office-xp 3.0.29 - Multiple Vulnerabilities Virtual Support Office XP 3.0.29 - Multiple Vulnerabilities PHP-Fusion Mod Classifieds - (lid) SQL Injection PHP-Fusion Mod Classifieds - 'lid' Parameter SQL Injection Simple Machines Forum 1.1.5 (Windows x86) - Admin Reset Password Exploit Simple Machines Forum (SMF) 1.1.5 (Windows x86) - Admin Reset Password Exploit PHP-Fusion Mod freshlinks - (linkid) SQL Injection PHP-Fusion Mod freshlinks - 'linkid' Parameter SQL Injection PHP-Fusion Mod manuals - (manual) SQL Injection PHP-Fusion Mod manuals - 'manual' Parameter SQL Injection PHP-Fusion Mod triscoop_race_system - (raceid) SQL Injection PHP-Fusion Mod triscoop_race_system - 'raceid' Parameter SQL Injection BosDev BosClassifieds - 'cat_id' SQL Injection BosClassifieds - 'cat_id' SQL Injection Simple Machines Forum 1.1.6 - (Local File Inclusion) Code Execution Simple Machines Forum (SMF) 1.1.6 - (Local File Inclusion) Code Execution PHP-Fusion 7.00.1 - (messages.php) SQL Injection PHP-Fusion 7.00.1 - 'messages.php' SQL Injection Check New 4.52 - (findoffice.php search) SQL Injection Check New 4.52 - 'findoffice.php search' SQL Injection PHP-Fusion Mod E-Cart 1.3 - (items.php CA) SQL Injection PHP-Fusion Mod E-Cart 1.3 - 'items.php' SQL Injection PHP-Fusion Mod the_kroax (comment_id) - SQL Injection PHP-Fusion Mod the_kroax - 'comment_id' Parameter SQL Injection Simple Machines Forum 1.1.7 - Cross-Site Request Forgery / Cross-Site Scripting / Package Upload Simple Machines Forum (SMF) 1.1.7 - Cross-Site Request Forgery / Cross-Site Scripting / Package Upload Simple Machines Forums - (BBCode) Cookie Stealing Simple Machines Forum (SMF) - 'BBCode' Cookie Stealing PHP-Fusion Mod Book Panel - (bookid) SQL Injection PHP-Fusion Mod Book Panel - 'bookid' Parameter SQL Injection PHP-Fusion Mod Book Panel - (course_id) SQL Injection PHP-Fusion Mod Book Panel - 'course_id' Parameter SQL Injection Opencart 1.1.8 - (route) Local File Inclusion Opencart 1.1.8 - 'route' Local File Inclusion exjune officer message system 1 - Multiple Vulnerabilities Exjune Officer Message System 1 - Multiple Vulnerabilities Simple Machines Forum - Multiple Security Vulnerabilities Simple Machines Forum (SMF) - Multiple Security Vulnerabilities PHP-Fusion 6.01.15.4 - (downloads.php) SQL Injection PHP-Fusion 6.01.15.4 - 'downloads.php' SQL Injection Simple Machines Forum (SMF) 1.1.8 - (avatar) Remote PHP File Execute (PoC) Simple Machines Forum (SMF) 1.1.8 - 'avatar' Remote PHP File Execute (PoC) PHP-fusion dsmsf - (module downloads) SQL Injection PHP-fusion dsmsf Mod Downloads - SQL Injection Group Office - (comment_id) SQL Injection Group Office - 'comment_id' SQL Injection PHP-Fusion MG - User-Fotoalbum SQL Injection PHP-Fusion Mod Mg User Fotoalbum 1.0.1 - SQL Injection Simple Machines forum (SMF) 2.0 - session Hijacking Simple Machines Forum (SMF) 2.0 - Session Hijacking AllMyGuests 0.x - info.inc.php Arbitrary Code Execution AllMyGuests 0.x - 'info.inc.php' Arbitrary Code Execution Simple Machines Forum 1.0 - Size Tag HTML Injection Simple Machines Forum (SMF) 1.0 - Size Tag HTML Injection OpenCart 1.5.5.1 - (FileManager.php) Directory Traversal Arbitrary File Access OpenCart 1.5.5.1 - 'FileManager.php' Directory Traversal Arbitrary File Access PHP-Fusion 4.0 - Viewthread.php Information Disclosure PHP-Fusion 4.0 - 'Viewthread.php' Information Disclosure PHP-Fusion 4/5 - Setuser.php HTML Injection PHP-Fusion 4/5 - 'Setuser.php' HTML Injection PHP-Fusion 4.0/5.0/6.0 - messages.php SQL Injection PHP-Fusion 4.0/5.0/6.0 - 'messages.php' SQL Injection PHP-Fusion 6.0.109 - messages.php SQL Injection PHP-Fusion 6.0.109 - 'messages.php' SQL Injection PHP-Fusion 6.0 - members.php Cross-Site Scripting PHP-Fusion 6.0 - 'members.php' Cross-Site Scripting PHP-Fusion 6.0.x - news.php SQL Injection PHP-Fusion 6.0.x - 'news.php' SQL Injection Simple Machines Forum 1.0/1.1 - 'index.php' Cross-Site Scripting Simple Machines Forum (SMF) 1.0/1.1 - 'index.php' Cross-Site Scripting PHP-Fusion 6.1.5 - Calendar_Panel Module Show_Event.php SQL Injection PHP-Fusion 6.1.5 Mod Calendar_Panel - 'Show_Event.php' SQL Injection Simple Machines Forum 1.1.4 - Multiple Remote File Inclusion Simple Machines Forum (SMF) 1.1.4 - Multiple Remote File Inclusion Simple Machines Forum 1.1.6 - HTTP POST Request Filter Security Bypass Simple Machines Forum (SMF) 1.1.6 - HTTP POST Request Filter Security Bypass OpenCart 1.5.6.1 - (openbay) Multiple SQL Injection OpenCart 1.5.6.1 - 'openbay' Multiple SQL Injection Simple Machines Forum 1.1.7 - '[url]' Tag HTML Injection Simple Machines Forum (SMF) 1.1.7 - '[url]' Tag HTML Injection PHP-Fusion - 'articles.php' Cross-Site Scripting AppFusions Doxygen for Atlassian Confluence 1.3.2 - Cross-Site Scripting Simple Machines Forum 1.1.14/2.0 - '[img]' BBCode Tag Cross-Site Request Forgery Simple Machines Forum (SMF) 1.1.14/2.0 - '[img]' BBCode Tag Cross-Site Request Forgery Simple Machines Forum 1.1.15 - 'fckeditor' Arbitrary File Upload Simple Machines Forum (SMF) 1.1.15 - 'fckeditor' Arbitrary File Upload WordPress Plugin Dharma booking 2.38.3 - File Inclusion WordPress Plugin Dharma Booking 2.38.3 - File Inclusion EasyPHP Devserver 16.1.1 - Cross-Site Request Forgery / Remote Command Execution SAP NetWeaver AS JAVA - 'BC-BMT-BPM-DSK' XML External Entity Injection
112 lines
4.4 KiB
Text
Executable file
112 lines
4.4 KiB
Text
Executable file
[RCESEC-2016-009] AppFusions Doxygen for Atlassian Confluence v1.3.2 renderContent() Persistent Cross-Site Scripting
|
|
|
|
RCE Security Advisory
|
|
https://www.rcesecurity.com
|
|
|
|
|
|
1. ADVISORY INFORMATION
|
|
=======================
|
|
Product: AppFusions Doxygen for Atlassian Confluence
|
|
Vendor URL: www.appfusions.com
|
|
Type: Cross-site Scripting [CWE-79]
|
|
Date found: 29/06/2016
|
|
Date published: 20/11/2016
|
|
CVSSv3 Score: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
|
|
CVE: -
|
|
|
|
|
|
2. CREDITS
|
|
==========
|
|
This vulnerability was discovered and researched by Julien Ahrens from
|
|
RCE Security.
|
|
|
|
|
|
3. VERSIONS AFFECTED
|
|
====================
|
|
AppFusions Doxygen for Atlassian Confluence v1.3.3
|
|
AppFusions Doxygen for Atlassian Confluence v1.3.2
|
|
AppFusions Doxygen for Atlassian Confluence v1.3.1
|
|
AppFusions Doxygen for Atlassian Confluence v1.3.0
|
|
older versions may be affected too.
|
|
|
|
|
|
4. INTRODUCTION
|
|
===============
|
|
With Doxygen in Confluence, you can embed full-structure code documentation:
|
|
-Doxygen blueprint in Confluence to allow Doxygen archive imports
|
|
-Display documentation from annotated sources such as Java (i.e., JavaDoc),
|
|
C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and UNO/OpenOffice
|
|
flavors), Fortran, VHDL, Tcl, D in Confluence.
|
|
-Navigation supports code structure (classes, hierarchies, files), element
|
|
dependencies, inheritance and collaboration diagrams.
|
|
-Search documentation from within Confluence
|
|
-Restrict access to who can see/add what
|
|
-Doxygen in JIRA also available
|
|
|
|
(from the vendor's homepage)
|
|
|
|
|
|
5. VULNERABILITY DETAILS
|
|
========================
|
|
The application offers the functionality to import Doxygen documentations via a file upload to make them available in a Confluence page, but does not properly validate the file format/the contents of the uploaded Doxygen file. Since the uploaded file is basically a zipped archive, it is possible to store any type of file in it like an HTML file containing arbitrary script.
|
|
|
|
In DoxygenFileServlet.java (lines 82-105) the "file" GET parameter is read
|
|
and used as part of a File object:
|
|
|
|
private void renderContent(HttpServletRequest request, HttpServletResponse response) throws IOException {
|
|
String pathInfo = request.getPathInfo();
|
|
String[] pathInfoParts = pathInfo.split("file/");
|
|
String requestedFile = pathInfoParts[1];
|
|
File homeDirectory = this.applicationProperties.getHomeDirectory();
|
|
String doxygenDir = homeDirectory.getAbsolutePath() + File.separator + "doxygen";
|
|
File file = new File(doxygenDir, requestedFile);
|
|
String contentType = this.getServletContext().getMimeType(file.getName());
|
|
if (contentType == null) {
|
|
contentType = "application/octet-stream";
|
|
}
|
|
response.setContentType(contentType);
|
|
FileInputStream inputStream = null;
|
|
ServletOutputStream outputStream = null;
|
|
try {
|
|
inputStream = new FileInputStream(file);
|
|
outputStream = response.getOutputStream();
|
|
IOUtils.copy((InputStream)inputStream, (OutputStream)outputStream);
|
|
}
|
|
finally {
|
|
IOUtils.closeQuietly((InputStream)inputStream);
|
|
IOUtils.closeQuietly((OutputStream)outputStream);
|
|
}
|
|
}
|
|
|
|
|
|
|
|
6. RISK
|
|
=======
|
|
To successfully exploit this vulnerability, the attacker must be authenticated and must have the rights within Atlassian Confluence to upload
|
|
Doxygen files (default).
|
|
|
|
The vulnerability allows remote attackers to permanently embed arbitrary script code into the context of an Atlassian Confluence page, which offers a wide range of possible attacks such as redirecting users to arbitrary pages, present phishing content or attacking the browser and its components of a user visiting the page.
|
|
|
|
7. POC
|
|
===========
|
|
|
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40817.zip
|
|
|
|
8. SOLUTION
|
|
===========
|
|
Update to AppFusions Doxygen for Atlassian Confluence v1.3.4
|
|
|
|
|
|
9. REPORT TIMELINE (DD/MM/YYYY)
|
|
===============================
|
|
23/08/2016: Discovery of the vulnerability
|
|
23/08/2016: Sent preliminary advisory incl. PoC to known mail address
|
|
30/08/2016: No response, sent out another notification
|
|
30/08/2016: Vendor response, team is working on it
|
|
20/10/2016: Vendor releases v1.3.4 which fixes this vulnerability
|
|
20/11/2016: Advisory released
|
|
|
|
|
|
9. REFERENCES
|
|
=============
|
|
https://bugs.rcesecurity.com/redmine/issues/13
|