Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Atlassian Confluence AppFusions Doxygen 1.3.x Cross Site Scripting

🗓️ 21 Nov 2016 00:00:00Reported by Julien AhrensType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 57 Views

AppFusions Doxygen for Atlassian Confluence 1.3.x Cross-Site Scriptin

Code
`RCE Security Advisory  
https://www.rcesecurity.com  
  
  
1. ADVISORY INFORMATION  
=======================  
Product: AppFusions Doxygen for Atlassian Confluence  
Vendor URL: www.appfusions.com  
Type: Cross-site Scripting [CWE-79]  
Date found: 2016-06-29  
Date published: -  
CVSSv3 Score: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)  
CVE: -  
  
  
2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
  
  
3. VERSIONS AFFECTED  
====================  
AppFusions Doxygen for Atlassian Confluence v1.3.3  
AppFusions Doxygen for Atlassian Confluence v1.3.2  
AppFusions Doxygen for Atlassian Confluence v1.3.1  
AppFusions Doxygen for Atlassian Confluence v1.3.0  
older versions may be affected too.  
  
  
4. INTRODUCTION  
===============  
With Doxygen in Confluence, you can embed full-structure code documentation:  
-Doxygen blueprint in Confluence to allow Doxygen archive imports  
-Display documentation from annotated sources such as Java (i.e., JavaDoc),  
C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and  
UNO/OpenOffice  
flavors), Fortran, VHDL, Tcl, D in Confluence.  
-Navigation supports code structure (classes, hierarchies, files), element  
dependencies, inheritance and collaboration diagrams.  
-Search documentation from within Confluence  
-Restrict access to who can see/add what  
-Doxygen in JIRA also available  
  
(from the vendor's homepage)  
  
  
5. VULNERABILITY DETAILS  
========================  
The application offers the functionality to import zipped Doxygen  
documentations via a file upload to make them available in a Confluence  
page, but does not properly validate the file format/the contents of the  
uploaded Doxygen file. Since the uploaded file is basically a zipped  
archive, it is possible to store any type of file in it like an HTML  
file containing arbitrary script.  
  
In DoxygenFileServlet.java (lines 82-105) the "file" GET parameter is read  
and used as part of a File object:  
  
private void renderContent(HttpServletRequest request,  
HttpServletResponse response) throws IOException {  
String pathInfo = request.getPathInfo();  
String[] pathInfoParts = pathInfo.split("file/");  
String requestedFile = pathInfoParts[1];  
File homeDirectory = this.applicationProperties.getHomeDirectory();  
String doxygenDir = homeDirectory.getAbsolutePath() + File.separator  
+ "doxygen";  
File file = new File(doxygenDir, requestedFile);  
String contentType =  
this.getServletContext().getMimeType(file.getName());  
if (contentType == null) {  
contentType = "application/octet-stream";  
}  
response.setContentType(contentType);  
FileInputStream inputStream = null;  
ServletOutputStream outputStream = null;  
try {  
inputStream = new FileInputStream(file);  
outputStream = response.getOutputStream();  
IOUtils.copy((InputStream)inputStream, (OutputStream)outputStream);  
}  
finally {  
IOUtils.closeQuietly((InputStream)inputStream);  
IOUtils.closeQuietly((OutputStream)outputStream);  
}  
}  
  
  
6. RISK  
=======  
To successfully exploit this vulnerability, the attacker must be  
authenticated and must have the rights within Atlassian Confluence to  
upload Doxygen files (default).  
  
The vulnerability allows remote attackers to permanently embed arbitrary  
script code into the context of an Atlassian Confluence page, which  
offers a wide range of possible attacks such as redirecting users to  
arbitrary pages, present phishing content or attacking the browser and  
its components of a user visiting the page.  
  
  
7. SOLUTION  
===========  
Update to AppFusions Doxygen for Atlassian Confluence v1.3.4  
  
  
8. REPORT TIMELINE (DD/MM/YYYY)  
===============================  
23/08/2016: Discovery of the vulnerability  
23/08/2016: Sent preliminary advisory incl. PoC to known mail address  
30/08/2016: No response, sent out another notification  
30/08/2016: Vendor response, team is working on it  
20/10/2016: Vendor releases v1.3.4 which fixes this vulnerability  
20/11/2016: Advisory released  
  
  
9. REFERENCES  
=============  
-  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Nov 2016 00:00Current
7.4High risk
Vulners AI Score7.4
atlassian confluenceappfusions doxygencross-site scriptingrce securityvulnerabilityfile uploadauthenticationremote attacksolutionadvisory informationvendor urlversions affectedcode documentationsecurity advisory.
57