SEC Consult SA-20170613-0 :: Access Restriction Bypass in Atlassian Confluence

--------------ms060909070602060402070109
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

SEC Consult Vulnerability Lab Security Advisory < 20170613-0 >
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
              title: Access Restriction Bypass
            product: Atlassian Confluence
 vulnerable version: 4.3.0 - 6.1.1
      fixed version: 6.2.1
         CVE number: -
             impact: Medium
           homepage: https://www.atlassian.com/
              found: 2017-03-27
                 by: Mathias Frank (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Mo=
scow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Z=
urich

                     https://www.sec-consult.com

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Vendor description:
-------------------
"In 2002, our founders, Scott Farquhar and Mike Cannon-Brookes, set
conventional wisdom on its ear by launching a successful enterprise
software company with no sales force. From Australia. Our first product, =
JIRA,
proved that if you make a great piece of software, price it right, and ma=
ke
it available to anyone to download from the internet, teams will come. An=
d
theyll build great things with it. And theyll tell two friends, and so =
on,
and so on.
Today a lot has changed. Were over 1,700 Atlassians (and growing), in si=
x
locations, with products to help all types of teams realize their visions=
 and
get stuff done. But the fundamentals remain the same. Were for teams bec=
ause
we believe that great teams can do amazing things. Were not afraid to do=

things differently. And were driven by an inspiring set of values that s=
hape
our culture and our products for the better."

Source: https://www.atlassian.com/company


Business recommendation:
------------------------
SEC Consult recommends to upgrade to the latest version available which f=
ixes
the identified issue.


Vulnerability overview/description:
-----------------------------------
1) Access Restriction Bypass
The "watch" functionality provides a user the option to subscribe to spec=
ific
content. Furthermore, the user gets a notification for any new comment ma=
de to the
previously subscribed content.

A user can manually subscribe to pages which he is not able to view and h=
e then
receives any further comment made on the restricted page.


Proof of concept:
-----------------
1) Access Restriction Bypass
Prerequisite as admin user just for a proof of concept demo page:
* Create a Space "Demo Space" visible for every user and group
* Create a Page "Demo Page" (example pageID: 1048582) and restrict the
  "Viewing and editing restriction" to only the administrator group/user =
with
  the "/pages/getcontentpermissions.action" function.


Send the following request as user:
-------------------------------------------------------------------------=
-----
POST /users/addpagenotificationajax.action HTTP/1.1
Host: localhost:8090
Referer: http://localhost:8090/display/ds/Welcome+to+Confluence
Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8
X-Requested-With: XMLHttpRequest
[...]

pageId=3D1048582&atl_token=3D1b5ee6615c44e4067679ccfa6e5904f0e42e8eb7
-------------------------------------------------------------------------=
-----

Then the user is subscribed to the "Demo Page" and receives a notificatio=
n and is
able to receive any further comments made on the subscribed page.


Vulnerable / tested versions:
-----------------------------
The following version has been tested by SEC Consult
Atlassian Confluence version 5.9.14 and 6.1.1

Atlassian believes that versions beginning from 4.3.0 before 6.2.1 are af=
fected.


Vendor contact timeline:
------------------------
2017-04-03: Contacting vendor through security@atlassian.com
2017-04-05: Vendor confirmed the vulnerability and issued the references
            CONFSERVER-52241 (Confluence Server) and CONFCLOUD-54634 (Con=
fluence
            Cloud)
2017-04-13: Vendor fixed the issue CONFCLOUD-54634.
2017-05-11: Asked for planned timeline and release of an fix for CONFSERV=
ER-52241.
2017-05-29: Vendor released a fix for CONFSERVER-52241 with version 6.2.1=
=2E
2017-06-08: Vendor prepares a sanitised copy of CONFSERVER-52241 for rele=
ase along
            with the advisory - https://jira.atlassian.com/browse/CONFSER=
VER-52560
2017-06-13: Public release of advisory.


Solution:
---------
Upgrade to version 6.2.1 available at:
https://www.atlassian.com/software/confluence/download
The effectiveness of the fix was verified by the SEC Consult Vulnerabilit=
y Lab.

https://jira.atlassian.com/browse/CONFSERVER-52560


Workaround:
-----------
Disable workbox notifications as per the instructions found at
https://confluence.atlassian.com/doc/configuring-workbox-notifications-30=
1663830.html


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. I=
t
ensures the continued knowledge gain of SEC Consult in the field of netwo=
rk
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evalu=
ation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and v=
alid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consu=
lt?
Contact our local offices https://www.sec-consult.com/en/About/Contact.ht=
m
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Mathias Frank / @2017


--------------ms060909070602060402070109
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CxgwggSvMIIDl6ADAgECAhEA4CPLFRKDU4mtYW56VGdrITANBgkqhkiG9w0BAQsFADBvMQsw
CQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4
dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTE0MTIyMjAwMDAwMFoXDTIwMDUzMDEwNDgzOFowgZsxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAImxDdp6UxlOcFIdvFamBia3uEngludRq/HwWhNJFaO0jBtgvHpRQqd5jKQi3xdh
TpHVdiMKFNNKAn+2HQmAbqUEPdm6uxb+oYepLkNSQxZ8rzJQyKZPWukI2M+TJZx7iOgwZOak
+FaA/SokFDMXmaxE5WmLo0YGS8Iz1OlAnwawsayTQLm1CJM6nCpToxDbPSBhPFUDjtlOdiUC
ISn6o3xxdk/u4V+B6ftUgNvDezVSt4TeIj0sMC0xf1m9UjewM2ktQ+v61qXxl3dnUYzZ7ifr
vKUHOHaMpKk4/9+M9QOsSb7K93OZOg8yq5yVOhM9DkY6V3RhUL7GQD/L5OKfoiECAwEAAaOC
ARcwggETMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBSSYWuC
4aKgqk/sZ/HCo/e0gADB7DAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFs
Q0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVz
ZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQELBQADggEBABsqbqxVwTqriMXY7c1V86prYSvACRAj
mQ/FZmpvsfW0tXdeDwJhAN99Bf4Ss6SAgAD8+x1banICCkG8BbrBWNUmwurVTYT7/oKYz1gb
4yJjnFL4uwU2q31Ypd6rO2Pl2tVz7+zg+3vio//wQiOcyraNTT7kSxgDsqgt1Ni7QkuQaYUQ
26Y3NOh74AEQpZzKOsefT4g0bopl0BqKu6ncyso20fT8wmQpNa/WsadxEdIDQ7GPPprsnjJT
9HaSyoY0B7ksyuYcStiZDcGG4pCS+1pCaiMhEOllx/XVu37qjIUgAmLq0ToHLFnFmTPyOInl
tukWeh95FPZKEBom+nyK+5swggZhMIIFSaADAgECAhAriv4GJbNgG4KONRhUqx20MA0GCSqG
SIb3DQEBCwUAMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy
MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UE
AxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h
aWwgQ0EwHhcNMTcwMzAxMDAwMDAwWhcNMjAwMjI5MjM1OTU5WjCCAVcxCzAJBgNVBAYTAkFU
MQ0wCwYDVQQREwQyNzAwMRowGAYDVQQIExFOaWVkZXJvZXN0ZXJyZWljaDEVMBMGA1UEBxMM
V3IuIE5ldXN0YWR0MRkwFwYDVQQJExBLb21hcmlnYXNzZSAxNC8xMS4wLAYDVQQKEyVTRUMg
Q29uc3VsdCBVbnRlcm5laG1lbnNiZXJhdHVuZyBHbWJIMUkwRwYDVQQLE0BJc3N1ZWQgdGhy
b3VnaCBTRUMgQ29uc3VsdCBVbnRlcm5laG1lbnNiZXJhdHVuZyBHbWJIIEUtUEtJIE1hbmFn
MR8wHQYDVQQLExZDb3Jwb3JhdGUgU2VjdXJlIEVtYWlsMSYwJAYDVQQDEx1TRUMgQ29uc3Vs
dCBWdWxuZXJhYmlsaXR5IExhYjEnMCUGCSqGSIb3DQEJARYYcmVzZWFyY2hAc2VjLWNvbnN1
bHQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5+LisxDXcLwArMnTESPr
5G/6PY0xWAvPc81sZGgHbf4at31qtZn9eVMGAPx4nJShJVZsB3+0OavWSM1PvcsMgVp8ovIf
gnE05A/LZ4k38pMU+Zl0pcGx5TFQevKmCDwqV9JqLIoleIKHCeQVmZhGC7zccEYvKtvQqWsq
VJDFHPZisoIGl9YS048T8c9al1FQtIx3SDtxZhyigHI1t8kFAHloWGP8KCMIMX6g9FlTIlnQ
YFUAkQ/49KRyUDEHdRZey9hQLuvrgRKWZn1TxeTWW41IZKUQC6Lhb3LgrQzUQoR7dbdASh+3
sqiw1642dkyxChRoOptpoC1Wo5HLTELzYQIDAQABo4IB4DCCAdwwHwYDVR0jBBgwFoAUkmFr
guGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFBEBR5dneBkup36i0hf8pUVsEpMlMA4GA1Ud
DwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcD
AjBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBTArMCkGCCsGAQUFBwIBFh1odHRwczovL3Nl
Y3VyZS5jb21vZG8ubmV0L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9k
b2NhLmNvbS9DT01PRE9TSEEyNTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWls
Q0EuY3JsMIGQBggrBgEFBQcBAQSBgzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21v
ZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFp
bENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMCMGA1UdEQQc
MBqBGHJlc2VhcmNoQHNlYy1jb25zdWx0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAQ9HL1/pw
/3RSCgHwSKfAejchG11KoLrm+7xdqBC1nVgJaQeX8smjraljd1PAL4KthtNP0Tr+DNr4d4hQ
WwHz/LnB0iap44v8LTaHTDUbWYD5NsOg8sD1JMQI8Jt6vC7Im+9O/rHxmvhL18hWoK4aIK/k
QG7eOfO5UmurKh7StuhE3t4KKEQnSTUCy+kNe8ut4KZdRs+o+mpSH09ecLo99Qs/FuaZMTgh
hZWkcSC1YT1jQDIF3lRDk+/+HbQ0h34tgPi/wJlI/7moci7B2AzYWFeHWcrGnuE6kZkRWtQV
F/u1NODSMp1DU3EzHLueYNufSYLWHh+yyzNnaoP5u7oLeDGCBEEwggQ9AgEBMIGwMIGbMQsw
CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm
b3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0y
NTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECECuK/gYls2Ab
go41GFSrHbQwDQYJYIZIAWUDBAIBBQCgggJhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTE3MDYxMzA4MjIzN1owLwYJKoZIhvcNAQkEMSIEIA7w2hjrhPHG
Qck9dsibObHVSD6a6yDUxWPhazxc9asSMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEq
MAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwIC
AUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgcEGCSsGAQQBgjcQBDGBszCBsDCBmzELMAkG
A1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9y
ZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAriv4GJbNgG4KO
NRhUqx20MIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RP
IENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNh
dGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAriv4GJbNgG4KONRhUqx20MA0GCSqGSIb3DQEB
AQUABIIBAJWw7QkwbbNZjf7fQPqT3myfV7YOwRP8kNuXA7x5h6758OqlvGq2BgHFbj0OGoSf
4QoFmIf4cgYslrl3aeiAz5C76clSikyzxysvsnEMNQm3xk1RTAy4ld6Mnjtni8MbLGMq/zu4
WzW+WQ9tMHpZOfSvfWyWl0Om8JuW9ysdYKyjDvfvTg+NuCBSGJ+suzP84YRWmJbscFvdlXQn
/TdHv70RDvcIvPNTW8Mg8erwzGqykAnNv7RALfWzNAhlWJMDxpsLuMK1WH5vF1kr4NMYEMFK
lNR04OARZJ18kzmL6VzoK5PBddQMMEXTI978FvGf+noy9hWs+mWHwgBG7gD87vcAAAAAAAA=
--------------ms060909070602060402070109--