exploit the possibilities

Pages For Bitbucket Server 2.6.0 Cross Site Scripting

Pages For Bitbucket Server 2.6.0 Cross Site Scripting
Posted Feb 1, 2019
Authored by Simon Moser

Pages for Bitbucket Server versions 2.6.0 and below suffer from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2018-19498
MD5 | 62046cd2b831073f17255781ec9af43f

Pages For Bitbucket Server 2.6.0 Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2018-037
Product: Pages for Bitbucket Server
Manufacturer: Simplenia AG
Affected Version(s): 2.6.0 and before
Tested Version(s): 2.6.0
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2018-11-26
Solution Date: 2018-12-19
Public Disclosure: 2019-01-31
CVE Reference: CVE-2018-19498
Author of Advisory: Simon Moser, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Pages for Bitbucket Server is a plugin for Bitbucket Server to display HTML
files in a repository.

The manufacturer describes the product as follows (see [1]):

"The Pages plugin allows you to publish static web pages in Bitbucket Server
easily. Repository administrators can enable serving of static web pages for
any existing branch or tag. Once enabled, users will be able to view HTML
files of this branch or tag directly in Bitbucket."

This design allows for cross-site scripting since its injected HTML code
is provided at a subpath of the Bitbucket application.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Published HTML files using the Pages plugin can contain JavaScript code.
Therefore, it is, for instance, possible to access unprotected cookies or to
execute actions on the web interface.

This would not pose a threat if the executed code was contained on
a subdomain or a different path (if Bitbucket himself already uses a subpath),
since most cookies are restricted to their respective path.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Enable Pages for selected branch (Repository settings > Web Pages > Enabled)
2. Upload the following HTML file into this branch:
* git clone <user>@<bitbucket URL>/scm/<project>/<repository>
* cd <repository>
* echo "<html><body><h1>Cookies</h1>
<script>document.write(document.cookie);</script>
</body></html>" > index.html
* git add index.html
* git commit -m "XSS PoC"
* git push
3. Visit https://<bitbucket URL>/pages/<project>/<repository>/browse/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to the version 2.6.1 or higher of the plugin and disable JavaScript in
custom pages

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-11-20: Vulnerability discovered
2018-11-26: Vulnerability reported to manufacturer
2018-12-19: Update released by manufacturer
2019-01-31: Advisory publicly released

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Pages for Bitbucket Server
https://www.simplenia.com/bitbucket-plugins/pages
[2] SySS Security Advisory SYSS-2018-037
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-037.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Simon Moser of SySS GmbH.

E-Mail: simon.moser@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Simon_Moser.asc
Key ID: 0x5FF2CFC6
Key Fingerprint: E3C2 A86E 530D 8BD3 C40B 6542 8376 5B89 5FF2 CFC6

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE48KoblMNi9PEC2VCg3ZbiV/yz8YFAlxO9M4ACgkQg3ZbiV/y
z8b6EwgAjb83VSpSDV0txIs/BjKpZohU6jDDJBfmyv9lXxQIosY+1bi62k69iRC2
UIySI26wh9iwO4mC+86Iu0m/ZUmQ/fhtVPwd6tYWx30x/DxPOQAnTKHox4OL2a13
hw5IWlcki5C3UJKXagPQlr7aEu4mdjSezMopboafi7cPs8HF6PDLOdIA/Y6Hoa27
aPKZWq9j10N+0BsdTM0D2gV8zjgO2EY2mY/WCjj78O1eiRhvwyDz4eJKRI6FG+gS
M3i7NZBN9VsZiJOyYdLOS/sq/eZbI39gXpUbJvSXsJlQFqOMMIICfgukycGv47Op
jiT/zWoE7Qh3WmmXPfcF45PQ9zat3w==
=BCXs
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    14 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close