Lack of CSRF protection on Voting

2014-06-23T03:45:26
ID ATLASSIAN:CONFSERVER-47905
Type atlassian
Reporter sshah@atlassian.com
Modified 2018-10-11T09:07:16

Description

{panel:bgColor=#e7f4fa} NOTE: This bug report is for Confluence Server. Using Confluence Cloud? [See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-47905]. {panel}

On Confluence Questions, answers and questions can be upvoted by the victim automatically on a question page visit, due to the lack of CSRF protection.

When up voting a question manually, whilst on the question page, a single post request is issued: e.g. {{POST /wiki/rest/questions/1.0/vote/answer/524305/up HTTP/1.1}}

Whilst this in itself has no CSRF protection, a user cannot simply place it into an {{img}} tag as a comment to automatically upvote/downvote a specific answer on Confluence Questions, as a GET request to the above URL returns: {{HTTP/1.1 405 Method Not Allowed}}

However, by inspecting the links sent in emails to upvote questions, we find another endpoint which can be used to upvote a question:

{{https://cquestionspentest.atlassian.net/wiki/cq/upvote.action?answerId=524326&src=email}}

This also doesn't have any CSRF protection however is a GET based request and hence it can be embedded as an image to be requested by the victim, when he/she visits the question page where the image is embedded, the answer with the ID of 524326 is automatically upvoted.

There is a similar issue like this one in Confluence itself in the "Likes" feature which has been marked as a wont-fix due to its trivial nature. To maintain the integrity in the way points are awarded for questions in CQ, some sort of CSRF token can be generated for all upvotes and downvote requests.

PoC:

  1. Obtain the ID of the question/answer which you wish to upvote. Hovering over the date listed on the question will reveal the ID of the question/answer e.g. 524305
  2. Construct a link which upvotes a given ID on GET request: e.g. {{https://cquestionspentest.atlassian.net/wiki/cq/upvote.action?answerId=524305&src=email}}
  3. Post a comment, but intercept the request, replacing the body parameter with the following: {noformat} <p><img class="confluence-embedded-image" title="null > blah.jpg" src="https://cquestionspentest.atlassian.net/wiki/cq/upvote.action?answerId=524305&src=email" data-image-src=/wiki/cq/upvote.action?answerId=524305&src=email?version=1&modificationDate=1403481880299&api=v2" data-linked-resource-id="884750" data-linked-resource-type="attachment" data-linked-resource-default-alias="/wiki/cq/upvote.action?answerId=524305&src=email" data-base-url="https://cquestionspentest.atlassian.net/wiki/cq/upvote.action?answerId=524305&src=email"></p> {noformat}
  4. Observe that when visiting the question page, the answer with the ID of 524305 automatically gets up voted.