【CVE-2019-3396】:SSTI and RCE in Confluence Server via Widget Connector
source link: https://chybeta.github.io/2019/04/06/Analysis-for-%E3%80%90CVE-2019-3396%E3%80%91-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Security Advisory
https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html
Analysis
According to the document , there are three parameters that you can set to control the content or format of the macro output, including URL、Width and Height.
the Widget Connector
has defind some renders. for example the FriendFeedRenderer
:
In FriendFeedRenderer
‘s getEmbeddedHtml
function , you will see they put another option _template
into params map.
However, some other renderers, such as in video
category , just call render(getEmbedUrl(url), params)
directly
So in this situation, we can "offer"
the _template
ourseleves which the backend will use the params to render
Reproduce
Patch
in fix version, it will call doSanitizeParameters
before render html which will remove the _template
in parameters. The code may like this:
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK