Atlassian Confluence arbitrary file include Vulnerability (CVE-2015-8399)
2016-09-14T00:00:00
ID SSV:92416 Type seebug Reporter LoRexxar Modified 2016-09-14T00:00:00
Description
Affect the Assembly: Atlassian Confluence
Atlassian Confluence is less than 5. 8. 17 versions of the service exist in the arbitrary file read and directory traversal vulnerabilities
/spaces/viewdefaultdecorator. action? decoratorName=. Lists the current directory /spaces/viewdefaultdecorator. action? decoratorName=/ Lists the web Service's root directory /spaces/viewdefaultdecorator. action? decoratorName=../ Listed on the directory level(for some of the service is invalid) /spaces/viewdefaultdecorator. action? decoratorName=file:///etc/passwd Through the file Protocol can be done read system files and directories
But not root permissions, so the hazard has been reduced, but you can read the web Service's configuration file, so the hazard of any course can not look down upon
{"type": "seebug", "lastseen": "2017-11-19T12:03:24", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "href": "https://www.seebug.org/vuldb/ssvid-92416", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}, "history": [], "modified": "2016-09-14T00:00:00", "reporter": "LoRexxar", "description": "Affect the Assembly: Atlassian Confluence\n\nAtlassian Confluence is less than 5. 8. 17 versions of the service exist in the arbitrary file read and directory traversal vulnerabilities\n\n/spaces/viewdefaultdecorator. action? decoratorName=. Lists the current directory /spaces/viewdefaultdecorator. action? decoratorName=/ Lists the web Service's root directory /spaces/viewdefaultdecorator. action? decoratorName=../ Listed on the directory level(for some of the service is invalid) /spaces/viewdefaultdecorator. action? decoratorName=file:///etc/passwd Through the file Protocol can be done read system files and directories\n\nBut not root permissions, so the hazard has been reduced, but you can read the web Service's configuration file, so the hazard of any course can not look down upon\n", "bulletinFamily": "exploit", "references": [], "objectVersion": "1.4", "viewCount": 16, "status": "cve,poc,details", "sourceHref": "", "cvelist": ["CVE-2015-8399"], "enchantments_done": [], "title": "Atlassian Confluence arbitrary file include Vulnerability (CVE-2015-8399)", "id": "SSV:92416", "sourceData": "", "published": "2016-09-14T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-8399"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONF-39704", "ATLASSIAN:CONFSERVER-39704"]}, {"type": "zdt", "idList": ["1337DAY-ID-24843"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806815", "OPENVAS:1361412562310106113"]}, {"type": "exploitdb", "idList": ["EDB-ID:39170"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:135130"]}], "modified": "2017-11-19T12:03:24"}, "vulnersScore": 5.0}, "_object_type": "robots.models.seebug.SeebugBulletin"}
{"cve": [{"lastseen": "2018-10-10T11:05:53", "bulletinFamily": "NVD", "description": "Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action.", "modified": "2018-10-09T15:58:34", "published": "2016-04-11T17:59:11", "id": "CVE-2015-8399", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8399", "title": "CVE-2015-8399", "type": "cve", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}], "atlassian": [{"lastseen": "2017-03-22T18:16:53", "bulletinFamily": "software", "description": "The following URL is vulnerable to Insecure Direct Object Reference, allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence.\r\n\r\nhttp://<server>/spaces/viewdefaultdecorator.action?decoratorName=<FILE>\r\nhttp://<server>/admin/viewdefaultdecorator.action?decoratorName=<FILE>\r\n\r\nWhere <FILE> any file readable by the user who runs the Confluence instance is accessible through Confluence itself.\r\n\r\nPoC URL:\r\nhttp://<server>/spaces/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml\r\nhttp://<server>/admin/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml\r\n\r\nThis has been verified in confluence 5.9.1, 5.8.15, and 5.8.14\r\n\r\nh2. Workarounds\r\n\r\n* Do not run Confluence as root/administrator. We always recommend creating a dedicated user account to run Atlassian products. You can limit the impact of this bug by restricting what the app user account can access.\r\n* Block URLs that match this pattern using proxy or load balancer rules.\r\n\r\n", "modified": "2016-12-12T01:59:35", "published": "2015-10-27T19:37:15", "href": "https://jira.atlassian.com/browse/CONF-39704", "id": "ATLASSIAN:CONF-39704", "title": "Insecure Direct Object Reference", "type": "atlassian", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-10-11T12:11:11", "bulletinFamily": "software", "description": "The following URL is vulnerable to Insecure Direct Object Reference, allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence.\r\n\r\nhttp://<server>/spaces/viewdefaultdecorator.action?decoratorName=<FILE>\r\nhttp://<server>/admin/viewdefaultdecorator.action?decoratorName=<FILE>\r\n\r\nWhere <FILE> any file readable by the user who runs the Confluence instance is accessible through Confluence itself.\r\n\r\nPoC URL:\r\nhttp://<server>/spaces/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml\r\nhttp://<server>/admin/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml\r\n\r\nThis has been verified in confluence 5.9.1, 5.8.15, and 5.8.14\r\n\r\nh2. Workarounds\r\n\r\n* Do not run Confluence as root/administrator. We always recommend creating a dedicated user account to run Atlassian products. You can limit the impact of this bug by restricting what the app user account can access.\r\n* Block URLs that match this pattern using proxy or load balancer rules.\r\n\r\n", "modified": "2018-10-11T08:48:47", "published": "2015-10-27T19:37:15", "id": "ATLASSIAN:CONFSERVER-39704", "href": "https://jira.atlassian.com/browse/CONFSERVER-39704", "title": "Insecure Direct Object Reference", "type": "atlassian", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}], "zdt": [{"lastseen": "2018-04-08T01:45:16", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2016-01-05T00:00:00", "published": "2016-01-05T00:00:00", "id": "1337DAY-ID-24843", "href": "https://0day.today/exploit/description/24843", "type": "zdt", "title": "Atlassian Confluence 5.2 / 5.8.14 / 5.8.15 - Multiple Vulnerabilities", "sourceData": "[Systems Affected]\r\n Product : Confluence\r\n Company : Atlassian\r\n Versions (1) : 5.2 / 5.8.14 / 5.8.15\r\n CVSS Score (1) : 6.1 / Medium (classified by vendor)\r\n Versions (2) : 5.9.1 / 5.8.14 / 5.8.15\r\n CVSS Score (2) : 7.7 / High (classified by vendor)\r\n \r\n \r\n[Product Description]\r\n Confluence is team collaboration software, where you create,\r\norganize and discuss work with your team. it is developed and marketed\r\nby Atlassian.\r\n \r\n \r\n[Vulnerabilities]\r\n Two vulnerabilities were identified within this application:\r\n (1) Reflected Cross-Site Scripting (CVE-2015-8398)\r\n (2) Insecure Direct Object Reference (CVE-2015-8399)\r\n \r\n \r\n[Advisory Timeline]\r\n 26/Oct/2015 - Discovery and vendor notification\r\n 26/Oct/2015 - Vendor replied for Cross-Site Scripting (SEC-490)\r\n 26/Oct/2015 - Issue CONF-39689 created\r\n 27/Oct/2015 - Vendor replied for Insecure Direct Object Reference\r\n(SEC-491 / SEC-492)\r\n 27/Oct/2015 - Issue CONF-39704 created\r\n 16/Nov/2015 - Vendor confirmed that Cross-Site Scripting was fixed\r\n 19/Nov/2015 - Vendor confirmed that Insecure Direct Object\r\nReference was fixed\r\n \r\n \r\n[Patch Available]\r\n According to the vendor, upgrade to Confluence version 5.8.17\r\n \r\n \r\n[Description of Vulnerabilities]\r\n (1) Reflected Cross-Site Scripting\r\n An unauthenticated reflected Cross-site scripting was found in\r\nthe REST API. The vulnerability is located at\r\n/rest/prototype/1/session/check/ and the payload used is <img src=a\r\nonerror=alert(document.cookie)>\r\n \r\n [References]\r\n CVE-2015-8398 / SEC-490 / CONF-39689\r\n \r\n [PoC]\r\n http://<Confluence\r\nServer>/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%28document.cookie%29%3E\r\n \r\n \r\n (2) Insecure Direct Object Reference\r\n Two instances of Insecure Direct Object Reference were found\r\nwithin the application, that allows any authenticated user to read\r\nconfiguration files from the application\r\n \r\n [References]\r\n CVE-2015-8399 / SEC-491 / SEC-492 / CONF-39704\r\n \r\n [PoC]\r\n http://<Confluence\r\nServer>/spaces/viewdefaultdecorator.action?decoratorName=<FILE>\r\n http://<Confluence\r\nServer>/admin/viewdefaultdecorator.action?decoratorName=<FILE>\r\n \r\n This is an example of accepted <FILE> parameters\r\n /WEB-INF/decorators.xml\r\n /WEB-INF/glue-config.xml\r\n /WEB-INF/server-config.wsdd\r\n /WEB-INF/sitemesh.xml\r\n /WEB-INF/urlrewrite.xml\r\n /WEB-INF/web.xml\r\n /databaseSubsystemContext.xml\r\n /securityContext.xml\r\n /services/statusServiceContext.xml\r\n com/atlassian/confluence/security/SpacePermission.hbm.xml\r\n com/atlassian/confluence/user/OSUUser.hbm.xml\r\n com/atlassian/confluence/security/ContentPermissionSet.hbm.xml\r\n com/atlassian/confluence/user/ConfluenceUser.hbm.xml\r\n \r\n-- \r\nS3ba\r\n@s3bap3\r\nlinkedin.com/in/s3bap3\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/24843"}], "packetstorm": [{"lastseen": "2016-12-05T22:15:34", "bulletinFamily": "exploit", "description": "", "modified": "2016-01-04T00:00:00", "published": "2016-01-04T00:00:00", "href": "https://packetstormsecurity.com/files/135130/Atlassian-Confluence-XSS-Insecure-Direct-Object-Reference.html", "id": "PACKETSTORM:135130", "type": "packetstorm", "title": "Atlassian Confluence XSS / Insecure Direct Object Reference", "sourceData": "`[Systems Affected] \nProduct : Confluence \nCompany : Atlassian \nVersions (1) : 5.2 / 5.8.14 / 5.8.15 \nCVSS Score (1) : 6.1 / Medium (classified by vendor) \nVersions (2) : 5.9.1 / 5.8.14 / 5.8.15 \nCVSS Score (2) : 7.7 / High (classified by vendor) \n \n \n[Product Description] \nConfluence is team collaboration software, where you create, \norganize and discuss work with your team. it is developed and marketed \nby Atlassian. \n \n \n[Vulnerabilities] \nTwo vulnerabilities were identified within this application: \n(1) Reflected Cross-Site Scripting (CVE-2015-8398) \n(2) Insecure Direct Object Reference (CVE-2015-8399) \n \n \n[Advisory Timeline] \n26/Oct/2015 - Discovery and vendor notification \n26/Oct/2015 - Vendor replied for Cross-Site Scripting (SEC-490) \n26/Oct/2015 - Issue CONF-39689 created \n27/Oct/2015 - Vendor replied for Insecure Direct Object Reference \n(SEC-491 / SEC-492) \n27/Oct/2015 - Issue CONF-39704 created \n16/Nov/2015 - Vendor confirmed that Cross-Site Scripting was fixed \n19/Nov/2015 - Vendor confirmed that Insecure Direct Object \nReference was fixed \n \n \n[Patch Available] \nAccording to the vendor, upgrade to Confluence version 5.8.17 \n \n \n[Description of Vulnerabilities] \n(1) Reflected Cross-Site Scripting \nAn unauthenticated reflected Cross-site scripting was found in \nthe REST API. The vulnerability is located at \n/rest/prototype/1/session/check/ and the payload used is <img src=a \nonerror=alert(document.cookie)> \n \n[References] \nCVE-2015-8398 / SEC-490 / CONF-39689 \n \n[PoC] \nhttp://<Confluence \nServer>/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%28document.cookie%29%3E \n \n \n(2) Insecure Direct Object Reference \nTwo instances of Insecure Direct Object Reference were found \nwithin the application, that allows any authenticated user to read \nconfiguration files from the application \n \n[References] \nCVE-2015-8399 / SEC-491 / SEC-492 / CONF-39704 \n \n[PoC] \nhttp://<Confluence \nServer>/spaces/viewdefaultdecorator.action?decoratorName=<FILE> \nhttp://<Confluence \nServer>/admin/viewdefaultdecorator.action?decoratorName=<FILE> \n \nThis is an example of accepted <FILE> parameters \n/WEB-INF/decorators.xml \n/WEB-INF/glue-config.xml \n/WEB-INF/server-config.wsdd \n/WEB-INF/sitemesh.xml \n/WEB-INF/urlrewrite.xml \n/WEB-INF/web.xml \n/databaseSubsystemContext.xml \n/securityContext.xml \n/services/statusServiceContext.xml \ncom/atlassian/confluence/security/SpacePermission.hbm.xml \ncom/atlassian/confluence/user/OSUUser.hbm.xml \ncom/atlassian/confluence/security/ContentPermissionSet.hbm.xml \ncom/atlassian/confluence/user/ConfluenceUser.hbm.xml \n \n-- \nS3ba \n@s3bap3 \nlinkedin.com/in/s3bap3 \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/135130/confluence-xssdisclose.txt"}], "openvas": [{"lastseen": "2018-10-26T14:39:17", "bulletinFamily": "scanner", "description": "This host is installed with Atlassian\n Confluence and is prone to cross site scripting and insecure direct object\n reference vulnerabilities.", "modified": "2018-10-25T00:00:00", "published": "2016-01-08T00:00:00", "id": "OPENVAS:1361412562310806815", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806815", "title": "Atlassian Confluence XSS and Insecure Direct Object Reference Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_confluence_xss_vuln.nasl 12096 2018-10-25 12:26:02Z asteins $\n#\n# Atlassian Confluence XSS and Insecure Direct Object Reference Vulnerabilities\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atlassian:confluence\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806815\");\n script_version(\"$Revision: 12096 $\");\n script_cve_id(\"CVE-2015-8398\", \"CVE-2015-8399\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-25 14:26:02 +0200 (Thu, 25 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-08 16:21:20 +0530 (Fri, 08 Jan 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Atlassian Confluence XSS and Insecure Direct Object Reference Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Atlassian\n Confluence and is prone to cross site scripting and insecure direct object\n reference vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted request via HTTP GET and\n check whether it is able to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to\n\n - An improper sanitization of user supplied input via different parameters\n in the REST API.\n\n - An Insecure Direct Object Reference via parameter 'decoratorName'.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary script code in a user's browser session\n and to read configuration files from the application.\");\n\n script_tag(name:\"affected\", value:\"Confluence versions 5.9.1, 5.8.14\n 5.8.15, 5.2\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Confluence version 5.8.17 or later\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/39170/\");\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2016/Jan/5\");\n script_xref(name:\"URL\", value:\"https://packetstormsecurity.com/files/135130/confluence-xssdisclose.txt\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_confluence_detect.nasl\");\n script_mandatory_keys(\"atlassian_confluence/installed\");\n script_require_ports(\"Services/www\", 80);\n script_xref(name:\"URL\", value:\"https://www.atlassian.com/software/confluence\");\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif(!http_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:http_port)){\n exit(0);\n}\n\nurl = dir + '/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%28document.cookie%29%3E';\n\nif(http_vuln_check(port:http_port, url:url, pattern:\"alert\\(document.cookie\\)\", check_header:TRUE,\n extra_check:\"Expected user\"))\n{\n report = report_vuln_url( port:http_port, url:url );\n security_message(port:http_port, data:report);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-11-14T14:50:38", "bulletinFamily": "scanner", "description": "Atlassian Confluence is prone to multiple vulnerabilities.", "modified": "2018-11-13T00:00:00", "published": "2016-07-04T00:00:00", "id": "OPENVAS:1361412562310106113", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106113", "title": "Atlassian Confluence Multiple Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_confluence_mult_vuln.nasl 12338 2018-11-13 14:51:17Z asteins $\n#\n# Atlassian Confluence Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atlassian:confluence\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106113\");\n script_version(\"$Revision: 12338 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-13 15:51:17 +0100 (Tue, 13 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-04 12:33:39 +0700 (Mon, 04 Jul 2016)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_cve_id(\"CVE-2015-8398\", \"CVE-2015-8399\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Atlassian Confluence Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_confluence_detect.nasl\");\n script_mandatory_keys(\"atlassian_confluence/installed\");\n\n script_tag(name:\"summary\", value:\"Atlassian Confluence is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Atlassian Confluence is prone to two vulnerabilities:\n\nCross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML\nvia the PATH_INFO to rest/prototype/1/session/check. (CVE-2015-8398)\n\nRemote authenticated users may read configuration files via the decoratorName parameter to\nspaces/viewdefaultdecorator.action or admin/viewdefaultdecorator.action. (CVE-2015-8399)\");\n\n script_tag(name:\"impact\", value:\"Unauthenticated remote attackers may inject arbitrary scripts.\nAuthenticated attackers may read configuration files.\");\n\n script_tag(name:\"affected\", value:\"Version 5.8.16 and previous\");\n\n script_tag(name:\"solution\", value:\"Update to 5.8.17 or later versions.\");\n\n script_xref(name:\"URL\", value:\"http://seclists.org/bugtraq/2016/Jan/9\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_less(version: version, test_version: \"5.8.17\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.8.17\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-04T09:38:30", "bulletinFamily": "exploit", "description": "Atlassian Confluence 5.2 / 5.8.14 / 5.8.15 - Multiple Vulnerabilities. CVE-2015-8398,CVE-2015-8399. Webapps exploit for xml platform", "modified": "2016-01-05T00:00:00", "published": "2016-01-05T00:00:00", "id": "EDB-ID:39170", "href": "https://www.exploit-db.com/exploits/39170/", "type": "exploitdb", "title": "Atlassian Confluence 5.2 / 5.8.14 / 5.8.15 - Multiple Vulnerabilities", "sourceData": "[Systems Affected]\r\n Product : Confluence\r\n Company : Atlassian\r\n Versions (1) : 5.2 / 5.8.14 / 5.8.15\r\n CVSS Score (1) : 6.1 / Medium (classified by vendor)\r\n Versions (2) : 5.9.1 / 5.8.14 / 5.8.15\r\n CVSS Score (2) : 7.7 / High (classified by vendor)\r\n\r\n\r\n[Product Description]\r\n Confluence is team collaboration software, where you create,\r\norganize and discuss work with your team. it is developed and marketed\r\nby Atlassian.\r\n\r\n\r\n[Vulnerabilities]\r\n Two vulnerabilities were identified within this application:\r\n (1) Reflected Cross-Site Scripting (CVE-2015-8398)\r\n (2) Insecure Direct Object Reference (CVE-2015-8399)\r\n\r\n\r\n[Advisory Timeline]\r\n 26/Oct/2015 - Discovery and vendor notification\r\n 26/Oct/2015 - Vendor replied for Cross-Site Scripting (SEC-490)\r\n 26/Oct/2015 - Issue CONF-39689 created\r\n 27/Oct/2015 - Vendor replied for Insecure Direct Object Reference\r\n(SEC-491 / SEC-492)\r\n 27/Oct/2015 - Issue CONF-39704 created\r\n 16/Nov/2015 - Vendor confirmed that Cross-Site Scripting was fixed\r\n 19/Nov/2015 - Vendor confirmed that Insecure Direct Object\r\nReference was fixed\r\n\r\n\r\n[Patch Available]\r\n According to the vendor, upgrade to Confluence version 5.8.17\r\n\r\n\r\n[Description of Vulnerabilities]\r\n (1) Reflected Cross-Site Scripting\r\n An unauthenticated reflected Cross-site scripting was found in\r\nthe REST API. The vulnerability is located at\r\n/rest/prototype/1/session/check/ and the payload used is <img src=a\r\nonerror=alert(document.cookie)>\r\n\r\n [References]\r\n CVE-2015-8398 / SEC-490 / CONF-39689\r\n\r\n [PoC]\r\n http://<Confluence\r\nServer>/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%28document.cookie%29%3E\r\n\r\n\r\n (2) Insecure Direct Object Reference\r\n Two instances of Insecure Direct Object Reference were found\r\nwithin the application, that allows any authenticated user to read\r\nconfiguration files from the application\r\n\r\n [References]\r\n CVE-2015-8399 / SEC-491 / SEC-492 / CONF-39704\r\n\r\n [PoC]\r\n http://<Confluence\r\nServer>/spaces/viewdefaultdecorator.action?decoratorName=<FILE>\r\n http://<Confluence\r\nServer>/admin/viewdefaultdecorator.action?decoratorName=<FILE>\r\n\r\n This is an example of accepted <FILE> parameters\r\n /WEB-INF/decorators.xml\r\n /WEB-INF/glue-config.xml\r\n /WEB-INF/server-config.wsdd\r\n /WEB-INF/sitemesh.xml\r\n /WEB-INF/urlrewrite.xml\r\n /WEB-INF/web.xml\r\n /databaseSubsystemContext.xml\r\n /securityContext.xml\r\n /services/statusServiceContext.xml\r\n com/atlassian/confluence/security/SpacePermission.hbm.xml\r\n com/atlassian/confluence/user/OSUUser.hbm.xml\r\n com/atlassian/confluence/security/ContentPermissionSet.hbm.xml\r\n com/atlassian/confluence/user/ConfluenceUser.hbm.xml\r\n\r\n-- \r\nS3ba\r\n@s3bap3\r\nlinkedin.com/in/s3bap3", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/39170/"}]}
