Arbitrary file creation in AbstractRendererExporterImpl

2013-09-11T07:03:11
ID ATLASSIAN:CONFSERVER-30735
Type atlassian
Reporter djohnson@atlassian.com
Modified 2017-02-17T04:34:54

Description

To reproduce: 1. Create a new space. 2. Create a new page. 3. Attach a file called {{test.txt}} to the page. 3. Edit the page, and add an image with the URL:

{code} /confluence/s/download/attachments/[page_id]/_/../../../../../../../../../../../../tmp/test.txt {code} ({{[page_id]}} must be replaced with the actual page id, an {{/confluence}} must be replaced with the base path, eg {{/wiki}} on OD)

  1. Export the space as HTML.
  2. {{test.txt}} will appear in {{/tmp}}.

The name {{test.txt}} is just for the example. This could also be used to create a plugin or script file, leading to code execution.

The path traversal occurs in [exportResource in AbstractRendererExporterImpl.java|https://stash.atlassian.com/projects/CONF/repos/confluence/browse/confluence-core/confluence/src/java/com/atlassian/confluence/importexport/impl/AbstractRendererExporterImpl.java?until=1d373503fb51ca3c6301a2b5a43f97627c3ed804#209]. This is all that needs to be fixed.

The exploit is also taking advantage of the flexible nature of AttachmentUrlParser and the fact that ExportPathUtils removes the static resource prefix from files which can later be treated as attachments, although neither of these are vulnerabilities. The path is being examined as an attachment in two different places: in {{getExportPathFromAttachment}} where the {{"/attachment"}} has been filtered because it looks like the static resource prefix, and later in {{AttachmentUrlParser}} where the {{"/attachment"}} hasn't been filtered. This allows access to the attachment file stream, while not using the path provided by {{Attachment.getExportPath()}}.

The export is being written by default to "<homedir>/temp/htmlexport-20130912-093912-13"