exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Comalatech Comala Workflows 4.6.1 CSRF / XSS

Comalatech Comala Workflows 4.6.1 CSRF / XSS
Posted Apr 9, 2015
Authored by J. Krautwald, M. Niederwieser | Site sec-consult.com

Comalatech Comala Workflows versions 4.6.1 and below suffer from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | b9fca79735e3cc4bf975c510e49bbccd87d29af3072e7048d9b25438a79754e7

Comalatech Comala Workflows 4.6.1 CSRF / XSS

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20150409-0 >
=======================================================================
title: Multiple XSS & XSRF vulnerabilities
product: Comalatech Comala Workflows
vulnerable version: <= 4.6.1
fixed version: 4.6.2 for Confluence 5.4+ and 4.5.4 for Confluence 4.3+
impact: High
homepage: https://marketplace.atlassian.com/plugins/com.comalatech.workflow
found: 2015-02-16
by: J. Krautwald (Office Berlin)
M. Niederwieser (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore
Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com
=======================================================================

Vendor & product description:
-----------------------------
"Build your Confluence content your own way through Comala Workflows
approvals, tasks, notifications and workflows.
Set customized workflows to create, review, approve and publish your content.
Assign page reviewers
Create team tasks
Publish approved content
Manage your documentation stages
Use Comala Workflows for:
Quality Management, Standards Compliance, Technical Documentation,
Editorial Publishing"

Source: https://marketplace.atlassian.com/plugins/com.comalatech.workflow


Business recommendation:
------------------------
Comala Workflows suffers from multiple vulnerabilities due to improper input
and output validation. By exploiting these vulnerabilities an attacker could:
1. Attack other users of the web application with JavaScript code,
browser exploits or Trojan horses, or
2. perform unauthorized actions in the name of another logged-in user.


Vulnerability overview/description:
-----------------------------------
1. Multiple cross-site scripting issues
Comala Workflows suffers from multiple reflective & stored cross-site
scripting vulnerabilities, which allow an attacker to steal other user's
sessions, to impersonate other users and to gain unauthorized access to
documents hosted in the Confluence instance where the Workflows module is
embedded.
There are many parameters which are not properly sanitized and thus are
vulnerable to XSS.

2. Cross-site request forgery vulnerabilities
Comala Workflows does not implement the use of shared secrets (tokens)
to prevent cross-site request forgery (XSRF) attacks.
If an attacker is able to lure a user into clicking a crafted link or
by embedding such a link within web pages (e.g. discussion forums) he
could manipulate data or automatically inject XSS payloads to attack
other users.


Proof of concept:
-----------------
1. Multiple cross-site scripting issues
a) The input parameters for giving a workflow a name, appending a label to a
given workflow, or adding a new task for a given state are not properly
sanitized and thus susceptible to reflected cross-site scripting. The hereby
affected scripts alongside the vulnerable GET parameters are:
Script GET Parameter(s)
saveproperties.action newLabelName, newWorkflowName
newtask.action taskName

When editing an existing workflow via the Markup functionality (accessible via
the workflowMarkup POST parameter of
/plugins/approvalsworkflow/saveworkflowmarkup.action) the attachment-macro is
also susceptible to reflected cross-site scripting.

b) When editing an existing workflow via the Markup functionality (accessible
via the workflowMarkup POST parameter of
/plugins/approvalsworkflow/saveworkflowmarkup.action) the workflow element
task does not sanitize the given input and is thus susceptible to
cross-site scripting. The application does not sanitize the given input before
printing it to the "Page Activity" popup which leads to the execution of the
permanently injected script. When assigning such a task to a co-worker, an
e-mail containing the actual payload is sent to the assigned person and when
opening the "My Comala Workflow Tasks", "Page Activity", or
"Page Activity Macro" page, it gets executed.

2. Cross-site request forgery vulnerabilities
The /plugins/approvalsworkflow/saveworkflowmarkup.action script for editing
an existing workflow via the Markup functionality, for example, is susceptible
to cross-site request forgery. If an attacker knows a valid project name
(key parameter) and the corresponding workflow name (workflowName parameter),
she might exploit this vulnerability to set the Markup code of the workflow
to an arbitrary value (e.g. a XSS payload via the task element, see 1. b)).


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in up to and including
version 4.6.1.


Vendor contact timeline:
------------------------
2015-03-17: Contacted vendor through email
2015-03-18: Vendor confirmed vulnerabilities, offered workaround and said
they would fix the vulnerabilities asap
2015-04-08: Vendor released updated versions and advisory
2015-04-09: Coordinated release of security advisory


Solution:
---------
Upgrade Comala Workflows to version 4.6.2 for Confluence 5.4+ or
upgrade Comala Workflows to version 4.5.4 for Confluence 4.3+

See the following advisory by the vendor for further information:
https://wiki.comalatech.com/display/CW/Comala+Workflows+Security+Advisory+2015-04-08


Workaround:
-----------
Disable the legacy attachment and embed macros feature.
Disable page workflows.
Edit workflows to prevent tasks being created (taskable param on states).
Disable workflow tasks.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF J. Krautwald / @2015

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close