Open source BUG tracking platform JIRA directory traversal vulnerability analysis-vulnerability warning-the black bar safety net

2014-05-15T00:00:00
ID MYHACK58:62201446925
Type myhack58
Reporter 佚名
Modified 2014-05-15T00:00:00

Description

Recently, a new announcement report a Jira 5.0. 1 1 and 6. 0. 3 versions of the directory traversal vulnerability in the last 7 months to be verified, and in the next few months to repair.

Attack method is very simple, but the potential impact is very large, the vulnerability could allow an attacker to upload a file as a webshell on. Later I will fix the vulnerability how to pass the static analysis found, as well as what a small detail that it can only be in the Windows system is utilized.

Vulnerability identification

The following code from plug-in IssuesCollector, the plug-in using REST api support to upload the screenshot file as an attachment attached to the description.

com/atlassian/jira/collector/plugin/rest/TemporaryAttachmentsResource.java

[...] @POST @Path("multipart/{collectorId}") @Consumes({"multipart/form-data"}) @Produces({"text/html"}) publicResponse attachTemporaryFileViaForm(@PathParam("collectorId")String collectorId, @MultipartFormParam("screenshot")Collection<filepart> fileParts) { ServiceOutcome outcome = this. collectorService. getCollector(collectorId); [...] FilePart filePart = (FilePart)fileParts. iterator(). next(); try { [...]

TemporaryAttachment temporaryAttachment = createTemporaryAttachment(filePart. getName(), filePart. getContentType(), filePart. getInputStream()); temporaryAttachmentsMonitor. add(temporaryAttachment); context. put("temporaryAttachment", temporaryAttachment); returnResponse. ok(renderTemplate("templates/rest/tempfilejson. vm", context)). cacheControl(com. atlassian. jira. rest. v1. util. CacheControl. NO_CACHE). build(); } catch(IOException e) { } returnResponse. serverError(). cacheControl(com. atlassian. jira. rest. v1. util. CacheControl. NO_CACHE). build(); }

privateTemporaryAttachment createTemporaryAttachment(String fileName, String contentType, InputStream inputStream) { File tmpDir = AttachmentUtils. getTemporaryAttachmentDirectory(); long uniqueId; File tempAttachmentFile; do { uniqueId = getUUID(); tempAttachmentFile = new File(tmpDir, uniqueId + "_" + fileName); } while(tempAttachmentFile. exists());

FileOutputStream output = null; try { output = new FileOutputStream(tempAttachmentFile); IOUtils. copy(inputStream, output); output. close(); } catch(IOException e) { IOUtils. closeQuietly(output); log. error("Error creating temporary attachment", e); returnnull; }

returnnew TemporaryAttachment(Long. valueOf(uniqueId), Long. valueOf(-1L), tempAttachmentFile, fileName, contentType); }

[1] [2] next