The tale of A CVE
CVE-2018–20237 Explained!
Hello Everyone! Today I am going to explain about a CVE that affects Atlassian confluence, an web based wiki for corporate.
As per the description provided by Atlassian, https://jira.atlassian.com/browse/CONFSERVER-57814, Atlassian Confluence Server from version 6.12.0 (or earlier), and before version 6.13.1, or before version 6.14.0 allows an authenticated user to download a deleted page via the word export feature.
So, I was testing in private invitation where this particular vulnerable asset was in scope. From the banner, I saw that the asset running confluence v6.6.x. Since the asset allowed anyone to create their account ( I will discuss how this is a problem & the solution later part of this blog) , I have created a pair of credentials for myself and went ahead with my testing course.
Now, As I found that, the asset was running an older version of Confluence, there were many issues however when I was going over the CVEs associated with the version, CVE-2018–20237 caught my attention. As I tried to test, I could reproduce it. Here is how -
So, as per the description of the CVE, a deleted page can be downloaded using word export feature. I quickly created two test pages and noted page-id of the page I was going to delete. After noting down the page ID, I deleted the page. I have kept the other page as it is.
I quickly opened Burp and configured it to intercept the traffic with target scope being the asset.
Now, When I tried to export the second page as Word, this is what I saw in Burp -
Did you notice the pageId parameter with GET request? I replaced the current Page ID with the pageId of the deleted page and forwarded the request.
And I was able to download the page which I deleted resulting the CVE.
Now coming to how to fix this issue —
Atlassian has published fix to the later versions. Admins need to migrate the confluence version to the latest stable version available.
Also, as I discussed earlier, restrict anyone to create account by themselves. Atlassian has provided functionality for admins to restrict sign-up events under ‘users and security’ section inside admin console.
Apart from this, admins one can configure notifications whenever a new account has been created. Going through audit logs to see anomalies, spam prevention through captcha ( sign up events is going to be protected with captcha to restrict spiders)are some recommendations.
I hope you can make use of this blog to test & secure your assets. I am not author of the CVE and all credit goes to the researchers who put in efforts to publish this CVE. It might be ‘Low’ in severity however might differ organizations to organizations depending on how the asset is being utilized.
Thank you!
