Atlassian Confluence AppFusions Doxygen 1.3.x Information Disclosure

2016-11-21T00:00:00
ID PACKETSTORM:139839
Type packetstorm
Reporter Julien Ahrens
Modified 2016-11-21T00:00:00

Description

                                        
                                            `RCE Security Advisory  
https://www.rcesecurity.com  
  
  
1. ADVISORY INFORMATION  
=======================  
Product: AppFusions Doxygen for Atlassian Confluence  
Vendor URL: www.appfusions.com  
Type: Information Exposure Through an Error Message [CWE-209]  
Date found: 2016-06-29  
Date published: -  
CVSSv3 Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)  
CVE: -  
  
  
2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
  
  
3. VERSIONS AFFECTED  
====================  
AppFusions Doxygen for Atlassian Confluence v1.3.3  
AppFusions Doxygen for Atlassian Confluence v1.3.2  
AppFusions Doxygen for Atlassian Confluence v1.3.1  
AppFusions Doxygen for Atlassian Confluence v1.3.0  
older versions may be affected too.  
  
  
4. INTRODUCTION  
===============  
With Doxygen in Confluence, you can embed full-structure code documentation:  
-Doxygen blueprint in Confluence to allow Doxygen archive imports  
-Display documentation from annotated sources such as Java (i.e., JavaDoc),  
C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and  
UNO/OpenOffice  
flavors), Fortran, VHDL, Tcl, D in Confluence.  
-Navigation supports code structure (classes, hierarchies, files), element  
dependencies, inheritance and collaboration diagrams.  
-Search documentation from within Confluence  
-Restrict access to who can see/add what  
-Doxygen in JIRA also available  
  
(from the vendor's homepage)  
  
  
5. VULNERABILITY DETAILS  
========================  
The application offers the functionality to import Doxygen  
documentations via a file upload to make it available in a Confluence  
page, but does not properly validate the "file" HTTP GET parameter,  
which is used to retrieve the uploaded contents.  
  
In DoxygenFileServlet.java (lines 82-105) the "file" GET parameter is  
read and used as part of a File object:  
  
private void renderContent(HttpServletRequest request,  
HttpServletResponse response) throws IOException {  
String pathInfo = request.getPathInfo();  
String[] pathInfoParts = pathInfo.split("file/");  
String requestedFile = pathInfoParts[1];  
File homeDirectory = this.applicationProperties.getHomeDirectory();  
String doxygenDir = homeDirectory.getAbsolutePath() + File.separator  
+ "doxygen";  
File file = new File(doxygenDir, requestedFile);  
String contentType =  
this.getServletContext().getMimeType(file.getName());  
if (contentType == null) {  
contentType = "application/octet-stream";  
}  
response.setContentType(contentType);  
FileInputStream inputStream = null;  
ServletOutputStream outputStream = null;  
try {  
inputStream = new FileInputStream(file);  
outputStream = response.getOutputStream();  
IOUtils.copy((InputStream)inputStream, (OutputStream)outputStream);  
}  
finally {  
IOUtils.closeQuietly((InputStream)inputStream);  
IOUtils.closeQuietly((OutputStream)outputStream);  
}  
}  
  
Since there is no exception handling for the opening of the file, this  
results in a local server path disclosure within Atlassian Confluence if  
a non-existing page is requested like:  
  
http://localhost:8090/plugins/servlet/doxygen/TEST/file/non-existent  
  
This throws the following Stack Trace revealing the full system path.  
  
Cause  
  
java.io.FileNotFoundException:  
/var/atlassian/application-data/confluence/doxygen/non-existent (No such  
file or directory)  
at java.io.FileInputStream.open0(Native Method)  
Stack Trace:[hide]  
  
java.io.FileNotFoundException:  
/var/atlassian/application-data/confluence/doxygen/non-existent (No such  
file or directory)  
at java.io.FileInputStream.open0(Native Method)  
at java.io.FileInputStream.open(FileInputStream.java:195)  
at java.io.FileInputStream.<init>(FileInputStream.java:138)  
  
  
6. RISK  
=======  
To successfully exploit this vulnerability, the attacker must be  
authenticated and must have the rights within Atlassian Confluence to  
read uploaded Doxygen files (default).  
  
The vulnerability allows remote attackers to obtain the local server  
path and use it as a supplying information in further attacks like  
RCESEC-2016-007.  
  
  
7. SOLUTION  
===========  
Update to AppFusions Doxygen for Atlassian Confluence v1.3.4  
  
  
8. REPORT TIMELINE (DD/MM/YYYY)  
===============================  
23/08/2016: Discovery of the vulnerability  
23/08/2016: Sent preliminary advisory incl. PoC to known mail address  
30/08/2016: No response, sent out another notification  
30/08/2016: Vendor response, team is working on it  
20/10/2016: Vendor releases v1.3.4 which fixes this vulnerability  
29/11/2016: Advisory released  
  
  
9. REFERENCES  
=============  
-  
  
  
`