Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormSimon MoserPACKETSTORM:151466
HistoryFeb 01, 2019 - 12:00 a.m.

Pages For Bitbucket Server 2.6.0 Cross Site Scripting

2019-02-0100:00:00
Simon Moser
packetstormsecurity.com
127

0.008 Low

EPSS

Percentile

82.1%

JSON
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2018-037   
Product: Pages for Bitbucket Server  
Manufacturer: Simplenia AG  
Affected Version(s): 2.6.0 and before  
Tested Version(s): 2.6.0  
Vulnerability Type: Cross-Site Scripting (CWE-79)   
Risk Level: Medium  
Solution Status: Fixed   
Manufacturer Notification: 2018-11-26  
Solution Date: 2018-12-19   
Public Disclosure: 2019-01-31  
CVE Reference: CVE-2018-19498  
Author of Advisory: Simon Moser, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Pages for Bitbucket Server is a plugin for Bitbucket Server to display HTML  
files in a repository.  
  
The manufacturer describes the product as follows (see [1]):  
  
"The Pages plugin allows you to publish static web pages in Bitbucket Server  
easily. Repository administrators can enable serving of static web pages for  
any existing branch or tag. Once enabled, users will be able to view HTML  
files of this branch or tag directly in Bitbucket."  
  
This design allows for cross-site scripting since its injected HTML code  
is provided at a subpath of the Bitbucket application.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
Published HTML files using the Pages plugin can contain JavaScript code.  
Therefore, it is, for instance, possible to access unprotected cookies or to  
execute actions on the web interface.  
  
This would not pose a threat if the executed code was contained on  
a subdomain or a different path (if Bitbucket himself already uses a subpath),  
since most cookies are restricted to their respective path.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
1. Enable Pages for selected branch (Repository settings > Web Pages > Enabled)  
2. Upload the following HTML file into this branch:  
* git clone <user>@<bitbucket URL>/scm/<project>/<repository>  
* cd <repository>  
* echo "<html><body><h1>Cookies</h1>  
<script>document.write(document.cookie);</script>  
</body></html>" > index.html  
* git add index.html  
* git commit -m "XSS PoC"  
* git push  
3. Visit https://<bitbucket URL>/pages/<project>/<repository>/browse/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
Update to the version 2.6.1 or higher of the plugin and disable JavaScript in  
custom pages  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2018-11-20: Vulnerability discovered  
2018-11-26: Vulnerability reported to manufacturer  
2018-12-19: Update released by manufacturer  
2019-01-31: Advisory publicly released  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for Pages for Bitbucket Server   
https://www.simplenia.com/bitbucket-plugins/pages  
[2] SySS Security Advisory SYSS-2018-037  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-037.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Simon Moser of SySS GmbH.  
  
E-Mail: [email protected]  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Simon_Moser.asc  
Key ID: 0x5FF2CFC6  
Key Fingerprint: E3C2 A86E 530D 8BD3 C40B 6542 8376 5B89 5FF2 CFC6   
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: https://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQEzBAEBCgAdFiEE48KoblMNi9PEC2VCg3ZbiV/yz8YFAlxO9M4ACgkQg3ZbiV/y  
z8b6EwgAjb83VSpSDV0txIs/BjKpZohU6jDDJBfmyv9lXxQIosY+1bi62k69iRC2  
UIySI26wh9iwO4mC+86Iu0m/ZUmQ/fhtVPwd6tYWx30x/DxPOQAnTKHox4OL2a13  
hw5IWlcki5C3UJKXagPQlr7aEu4mdjSezMopboafi7cPs8HF6PDLOdIA/Y6Hoa27  
aPKZWq9j10N+0BsdTM0D2gV8zjgO2EY2mY/WCjj78O1eiRhvwyDz4eJKRI6FG+gS  
M3i7NZBN9VsZiJOyYdLOS/sq/eZbI39gXpUbJvSXsJlQFqOMMIICfgukycGv47Op  
jiT/zWoE7Qh3WmmXPfcF45PQ9zat3w==  
=BCXs  
-----END PGP SIGNATURE-----  
  
`

Related

cve 1
cvelist 1
nvd 1
prion 1
cve
cve
CVE-2018-19498
2019-03-21 16:00:31
cvelist
cvelist
CVE-2018-19498
2019-03-17 21:41:11
nvd
nvd
CVE-2018-19498
2019-03-21 16:00:31
prion
prion
Cross site scripting
2019-03-21 16:00:00

0.008 Low

EPSS

Percentile

82.1%

JSON
Related for PACKETSTORM:151466
cve1cvelist1nvd1prion1