Resource file path traversal in IconDownloadResourceManager

2013-09-16T06:17:40
ID ATLASSIAN:CONFSERVER-30796
Type atlassian
Reporter djohnson@atlassian.com
Modified 2018-10-11T09:02:41

Description

To reproduce: 1. Create a new page (title doesn't matter). 2. Insert an image with URL: {code:none} /confluence/images/icons/profilepics/../../../WEB-INF/classes/crowd.properties {code} with {{/confluence/}} replaced with the correct base path. (Edit the page, click +, click Image, select the From the Web tab, enter the path shown above, click Insert, click Save) 3. Export to word (view the page, click "Tools", click "Export to Word") 4. View the file as plain text (the contents of {{crowd.properties}} appear near the end)


{{IconDownloadResourceManager}} handles the export of this URL. The traversal occurs in [IconDownloadResourceManager.java, lines 23-25|https://stash.atlassian.com/projects/CONF/repos/confluence/browse/confluence-core/confluence/src/java/com/atlassian/confluence/importexport/resource/IconDownloadResourceManager.java#23]. While this attack could be prevented at the {{ExportWordPageServer}} layer, {{IconDownloadResourceManager}} should definitely be fixed as there are other paths to this code which may be vulnerable.

This allows access to any resource file, which includes sensitive configuration information (like the crowd password, or the home directory path). It does not allow access to most files.