Privilege escalation: User is able to add a page to his watchlist without having the permission

Type atlassian
Reporter jaehnel
Modified 2017-02-17T05:39:28



create user1 and user2 user1 has access to space1 user2 has access to space2

user1 can add a page to his watchlist by manipulating (using a proxy like webscarab) the postrequest to http://localhost:8080/dwr/exec/PageNotification.startWatching.dwr

and replacing the id contained in parameter c0-param0

the posted data looks like that

callCount=1 c0-scriptName=PageNotification c0-methodName=startWatching c0-id=215_1221492126248 c0-param0=string:393224 xml=true

This results in the page being added to the users watchlist, displaying the title and the corresponding space, even though the user should not have access to this space at all.

I have not tested the email functionality since there was no mailserver available for testing wether a message gets sent on change of the watched page.

IMPORTANT: please confirm receipt of this notification! Depending on the response, we may report the vulnerability to publicly available security forums such as CERT ( Our policy is to give you at least 30 days grace period prior to any public disclosure.