Confluence Security Advisory 2009-10-06
In this advisory:
Session Fixation Vulnerability
Severity
Atlassian rates these vulnerabilities as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a security vulnerability which may affect Confluence instances in a public environment. This vulnerability could lead to a session fixation attack, in which the malicious user (attacker) can gain access to a victim's Confluence resources whilst the victim is logged in to their Confluence user account.
The attacker does this by fixating (or setting) their session ID onto the victim's computer. While the victim is logged in, all the victim's privileges are associated with the attacker's session ID, effectively granting the attacker access to all of the Confluence data and resources accessible to the victim.
For more information about session fixation attacks, please refer to the following sources:
- Chris Shiflett's Security Corner article
- The Web Application Security Consortium's overview
Risk Mitigation
We recommend either patching or upgrading your Confluence installation to fix these vulnerabilities. Please see the 'Fix' section below.
Alternatively, if you are not in a position to undertake this immediately and you judge it necessary, you can disable public access (e.g. anonymous access and public signup) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.
Vulnerability
All versions of Confluence prior to 3.0.2 are vulnerable to this security issue.
Fix
These issues have been fixed in Confluence 3.0.2 (see the release notes), which you can download from the download centre.
If you do not wish to upgrade to Confluence 3.0.2 and you are currently running Confluence version 2.10.x or 3.0.x, you can patch your existing installation by downloading the appropriate patch file attached to JIRA issue CONF-15108 and installing the patch file using the instructions provided in this JIRA issue.
Our thanks to Ben L Broussard who reported this vulnerability. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
XSS Vulnerability in Various Confluence Macros
Severity
Atlassian rates these vulnerabilities as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a number of security vulnerabilities which may affect Confluence instances in a public environment. These flaws are cross-site scripting (XSS) vulnerabilities in Confluence's pagetree, userlister and content by label macros. These XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page.
- The attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to the attacker's own web server.
- The attacker's text and script might be displayed to other people viewing the Confluence page. This is potentially damaging to your company's reputation.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web.
Risk Mitigation
We recommend either patching or upgrading your Confluence installation to fix these vulnerabilities. Please see the 'Fix' section below.
Alternatively, if you are not in a position to undertake this immediately and you judge it necessary, you can disable public access (e.g. anonymous access and public signup) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.
Vulnerability
An attacker can inject their own JavaScript into the Confluence actions listed in the table below. Each of the actions is invoked when a user performs a specific function in Confluence, such as clicking a link or a button. The actions can also be invoked by simply entering the URL into the browser address bar. The rogue JavaScript will be executed when a user invokes the URL.
For more details please refer to the related JIRA issue, also shown in the table below.
Confluence action | Affected Confluence Versions | Fix Availability | More Details |
---|---|---|---|
Pagetree Macro | 2.8.0 – 3.0.1 | 2.10.0 – 3.0.2 inclusive | |
Userlister Macro | 2.6.0 – 3.0.1 | 2.10.0 – 3.0.2 inclusive | |
Content by Label Macro | 2.10.0 – 3.0.1 | 2.10.0 – 3.0.2 inclusive |
Fix
These issues have been fixed in Confluence 3.0.2 (see the release notes), which you can download from the download centre.
If you do not wish to upgrade to Confluence 3.0.2, you can patch your existing installation by upgrading the plugins for these macros via the Confluence Plugin Repository to the version indicated in the JIRA issues listed in the vulnerability section (above).