by r0t,der4444,cembo,VietMafia

Friday, December 02, 2005

Confluence – the Enterprise Wiki, XSS vuln.

Confluence – the Enterprise Wiki, XSS vuln.
Vuln. dicovered by : r0t
Date: 2 dec. 2005
Vendor:http://www.atlassian.com/software/confluence/
affected version: 2.0.1 Build:#321 Nov 28, 2005

Product Description:
Confluence is an enterprise wiki that makes it easy for your team to collaborate and share knowledge. Confluence - The Enterprise Wiki.Adding, sharing and finding content has never been easier.
These benefits come with all the additional features needed to make it a part of your business:

* Enterprise security
* Simple installation and management
* Attractive, user-friendly interface
* Powerful tools for structuring and searching your wiki
* Professional features such as PDF export and automated refactoring
* An open API for extension and integration
* Atlassian's Legendary Service.


Vuln. Description:
Input passed to the search module parameters isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

5 Comments:

Blogger Charles Miller told...

This problem is fixed in Confluence 2.0.2.

Our own security advisory for the flaw, including instructions to patch older versions, can be found here: http://confluence.atlassian.com/x/dz4C

Downloadable patches for Confluence 2.0.x and 1.4.x are available here: http://jira.atlassian.com/browse/CONF-4825


I know I've been out of the security community for a year or two, but isn't the standard practice still to inform the vendor and give them a reasonable amount of time to make a patch before releasing an advisory? Atlassian takes security-related bug reports seriously, and our patch/test turnaround is never more than a couple of days.

2:07 AM

 
Anonymous r0t told...

Its great if you make a patch so fast.
If you was one year or two years ago i sec scene you never did mistakes like those.
And dont forget that your webaplications isn´t cheap , if you make money , than you must care aboout it.
I will never contact vendor who make bussines with unsecured stuff, is it standart or not, in this blog i post free to let people know about unsecured stuff and not to help only vendors.

2:54 AM

 
Anonymous Anonymous told...

Going public without giving the vendor's clients at least a chance of getting a fix from an official source is just down right irresponsible.

This isn't about saving face for the vendor, this is about preserving the security of the general public! What you have done here is nothing short of giving malitious attackers a window of opportunity to attack innocent victims.

Were you worried that by giving the vendor chance to correct their mistake that you wouldn't get as much publicity for your blog?

In my opinion, you are the security world's version of an ambulance chasing lawyer.

12:00 PM

 
Blogger David Peterson told...

So, your philosophy is that if I pay a company for a website product, you feel I deserve to have my website which uses that product hacked. You obviously went to the effort of visiting Atlassian's website to copy-n-paste their blurb about the product, but couldn't bring yourself to expend the effort to find their contact page and let them know what you found.

The only people who are helped by posting vulnerabilities without attempting to contact the vendor so they can fix the problem are those wishing to exploit the weakness. Which makes your attitude at best irresponsible and at worst criminal.

And as for Atlassian making money from their product, I for one hope they do. That way they can continue to fix security bug and add new features to a great product. But they are also one of the most generous companies I've come across, offering free licenses to non-profit and open source organisations and big discounts to education.

I applaud your diligence in finding security problems, but your motive and execution needs a serious overhaul.

12:36 PM

 
Blogger r0t told...

No, my opion isn´t that shareware is bad and free stuff is good . NO ..webaplication is webaplication is for free or for $ ...
About attackers , i dont release no exploits or real PoC , a poor desc. and maybe a example how to detect vuln. and not how to use it.
About vuln. reports im not developer of any kind of software i test only it and as you see blog name is "Unsecured Systems" , so i publish my reports about unsecured systems and thats all.
If software dont have simple bugs , it will not be in my reports.
And here nothin with my skills or how you say prof. , look right way and profesional is that i will first contact vendor and report about vuln. You can be sure there was vendors who get my reports 1 year ago and till know isnt nothing fixed , and why people shoud trust irresponsible vendors?
When you develop unsecure product and sell it or give to people for free thats your problem, but belive me its more dangerous as my reports for all.

3:14 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew