Unwanted Access to File System via Import Pages Functionality

2007-08-28T05:57:40
ID ATLASSIAN:CONFSERVER-9308
Type atlassian
Reporter ivan@atlassian.com
Modified 2018-10-11T09:06:14

Description

  • security vulnerability found in Confluence 2.5.6

Space administrator can use the "Import Pages from Disk" feature to browse the server file system by pointing the importer at "/" folder (or any other folder). Because this folder doesn't contain expected files, an error message is displayed, disclosing information about the underlying file system that an average user should never have access to.

The following error(s) occurred:

* An error occurred importing: /dev. Consult console log file for error details.
* An error occurred importing: /etc. Consult console log file for error details.
* An error occurred importing: /lib. Consult console log file for error details.
* An error occurred importing: /usr. Consult console log file for error details.
* An error occurred importing: /bin. Consult console log file for error details.
* An error occurred importing: /var. Consult console log file for error details.
* An error occurred importing: /sbin. Consult console log file for error details.
* An error occurred importing: /opt. Consult console log file for error details.
* An error occurred importing: /tmp. Consult console log file for error details.
* An error occurred importing: /proc. Consult console log file for error details.

This information is very valuable for experienced malicious users and can be used for subsequent attacks at the server.

Attacker might not stop only at browsing through the file system, but (s)he can also get access to the files that the user used to run the java container has access to.

If system is not configure properly attacker can import into Confluence files like /etc/passwd and other files containing critical information related to the web server and the network.

Even if the system is properly configured, if attacker points the importer at ConfluenceHome dir, (s)he'll get access to confluence.cfg.xml, which contains JDBC configuration details, possibly including the database location and password. User can also gain access to files belonging to other users, temporarily stored in the ConfluenceHome/temp folder.

In addition to this, under certain conditions it might be possible to cause a DoS or DDoS attack at the server by pointing the importer at folders with large text files (e.g. log files).