Multiple CSRF vulnerabilties in Question/Answer Threads

Type atlassian
Reporter admin+bugs1
Modified 2019-08-22T03:45:12


{panel:bgColor=#e7f4fa} NOTE: This bug report is for Confluence Cloud. Using Confluence Server? [See the corresponding bug report|]. {panel}

Multiple CSRF vulnerabilities exist on where an attacker can potentially perform actions such as the following, if the victim visits the attackers malicious resource:

Confirmed affected: - Upvoting of answers - Downvoting of answers - Deletion of answers or comments - Liking of comments - Cancelling of bounties - Marking as favourite

Unconfirmed however may be possible: - Conversion of answers to comments via crafted form - Setting and confirming a bounty

Steps to reproduce:

h3. Issuing Arbritrary Likes/Upvotes/Downvotes

  1. Find the comment or answer you wish to like/upvote/downvote.
  2. To obtain its ID, search the HTML source for "/vote/" or inspect the comment element and find its ID. It should be in this format "/vote/[ID]/up/"
  3. Once the ID is obtained simply place it in the following "img" tag accordingly: <img src="[ID]/up/"/>
  4. When placed into a HTML file and visited by the authenticated Atlassian Answers victim, regardless of which domain the HTML is hosted on, the comment will be upvoted.
  5. To down vote, change "/up/" to "/down/" accordingly in the src value of the img tag.
  6. In order to make the victim like a comment, change the img's src value to "/like_comment/[id]/" accordingly.

The following endpoints were identified to be vulnerable: {noformat} /vote/[id]/up/ /vote/[id]/down/ /bounty/[id]/cancel/ /like_comment/[id]/ /mark_favorite/[id]/ /delete_comment/[id]/ /delete/[id]/ {noformat} The following HTTP request was able to successfully delete a comment made by me, without any prior verification or validation: {noformat} GET /delete_comment/299015/ HTTP/1.1 Host: Connection: keep-alive Accept: image/webp,/;q=0.8 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3 DNT: 1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: [redacted] {noformat}