Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Comalatech Comala Workflows 4.6.1 CSRF / XSS Vulnerabilities

🗓️ 10 Apr 2015 00:00:00Reported by Manish TanwarType 
zdt
 zdt🔗 0day.today👁 39 Views

Multiple XSS & XSRF vulnerabilities in Comala Workflows 4.6.

Code
title: Multiple XSS & XSRF vulnerabilities
            product: Comalatech Comala Workflows
 vulnerable version: <= 4.6.1
      fixed version: 4.6.2 for Confluence 5.4+ and 4.5.4 for Confluence 4.3+
             impact: High
           homepage: https://marketplace.atlassian.com/plugins/com.comalatech.workflow
              found: 2015-02-16
                 by: J. Krautwald (Office Berlin)
                     M. Niederwieser (Office Vienna)


Vendor & product description:
-----------------------------
"Build your Confluence content your own way through Comala Workflows
approvals, tasks, notifications and workflows.
Set customized workflows to create, review, approve and publish your content.
Assign page reviewers
Create team tasks
Publish approved content
Manage your documentation stages
Use Comala Workflows for:
Quality Management, Standards Compliance, Technical Documentation,
Editorial Publishing"

Source: https://marketplace.atlassian.com/plugins/com.comalatech.workflow


Business recommendation:
------------------------
Comala Workflows suffers from multiple vulnerabilities due to improper input
and output validation. By exploiting these vulnerabilities an attacker could:
    1. Attack other users of the web application with JavaScript code,
       browser exploits or Trojan horses, or
    2. perform unauthorized actions in the name of another logged-in user.


Vulnerability overview/description:
-----------------------------------
1. Multiple cross-site scripting issues
Comala Workflows suffers from multiple reflective & stored cross-site
scripting vulnerabilities, which allow an attacker to steal other user's
sessions, to impersonate other users and to gain unauthorized access to
documents hosted in the Confluence instance where the Workflows module is
embedded.
There are many parameters which are not properly sanitized and thus are
vulnerable to XSS.

2. Cross-site request forgery vulnerabilities
Comala Workflows does not implement the use of shared secrets (tokens)
to prevent cross-site request forgery (XSRF) attacks.
If an attacker is able to lure a user into clicking a crafted link or
by embedding such a link within web pages (e.g. discussion forums) he
could manipulate data or automatically inject XSS payloads to attack
other users.


Proof of concept:
-----------------
1. Multiple cross-site scripting issues
a) The input parameters for giving a workflow a name, appending a label to a
given workflow, or adding a new task for a given state are not properly
sanitized and thus susceptible to reflected cross-site scripting. The hereby
affected scripts alongside the vulnerable GET parameters are:
   Script                       GET Parameter(s)
   saveproperties.action        newLabelName, newWorkflowName
   newtask.action               taskName

When editing an existing workflow via the Markup functionality (accessible via
the workflowMarkup POST parameter of
/plugins/approvalsworkflow/saveworkflowmarkup.action) the attachment-macro is
also susceptible to reflected cross-site scripting.

b) When editing an existing workflow via the Markup functionality (accessible
via the workflowMarkup POST parameter of
/plugins/approvalsworkflow/saveworkflowmarkup.action) the workflow element
task does not sanitize the given input and is thus susceptible to
cross-site scripting. The application does not sanitize the given input before
printing it to the "Page Activity" popup which leads to the execution of the
permanently injected script. When assigning such a task to a co-worker, an
e-mail containing the actual payload is sent to the assigned person and when
opening the "My Comala Workflow Tasks", "Page Activity", or
"Page Activity Macro" page, it gets executed.

2. Cross-site request forgery vulnerabilities
The /plugins/approvalsworkflow/saveworkflowmarkup.action script for editing
an existing workflow via the Markup functionality, for example, is susceptible
to cross-site request forgery. If an attacker knows a valid project name
(key parameter) and the corresponding workflow name (workflowName parameter),
she might exploit this vulnerability to set the Markup code of the workflow
to an arbitrary value (e.g. a XSS payload via the task element, see 1. b)).


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in up to and including
version 4.6.1.


Vendor contact timeline:
------------------------
2015-03-17: Contacted vendor through email
2015-03-18: Vendor confirmed vulnerabilities, offered workaround and said
            they would fix the vulnerabilities asap
2015-04-08: Vendor released updated versions and advisory
2015-04-09: Coordinated release of security advisory


Solution:
---------
Upgrade Comala Workflows to version 4.6.2 for Confluence 5.4+ or
upgrade Comala Workflows to version 4.5.4 for Confluence 4.3+

See the following advisory by the vendor for further information:
https://wiki.comalatech.com/display/CW/Comala+Workflows+Security+Advisory+2015-04-08


Workaround:
-----------
Disable the legacy attachment and embed macros feature.
Disable page workflows.
Edit workflows to prevent tasks being created (taskable param on states).
Disable workflow tasks.

#  0day.today [2018-04-09]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Apr 2015 00:00Current
6.9Medium risk
Vulners AI Score6.9
comala workflowscross-site scriptingcross-site request forgeryconfluencevulnerabilitiessecurityjavascript codeimproper input validationcsrf attacksconfluence documentsimproper parameter sanitizationunauthorized accessshared secretsxsrf attackscrafted linkdata manipulationproof of concept
39