Remote Code Execution – LimeSurvey (CVE-2018-7556)

A day in 2018, I was participating in a bug bounty program, and this target caught my attention:

The reason was pretty simple: LimeSurvey is a name I had never heard of before. I thought to myself that for an uncommon software like this, it should take no more than 5 minutes to find a RCE.

With that belief in mind, I quickly grabbed its source code and started auditing, only to realize later that my assumption turned out to be wrong. It took me about 10 minutes, not 5.

Will try harder next time.

Continue reading “Remote Code Execution – LimeSurvey (CVE-2018-7556)”

Leaking issues from linked Jira – Atlassian Confluence Server

Application Links (sometimes called “app links”) is a bundled app that allows you to set up links, share information, and provide access to certain resources or functionality across multiple Atlassian products.

Linking Confluence to other applications allows you to include information from those applications in pages or blogs that you create in Confluence. For example, you could link Confluence to Jira Software and display issues on a Confluence page using the Jira Issues Macro.

https://confluence.atlassian.com/doc/linking-to-another-application-360677690.html

The /plugins/servlet/jira-chart-proxy endpoint in the Server version of Confluence, when being called, will make a GET request to the /rest/gadget/1.0/piechart/generate endpoint of the linked Jira application in order to get the corresponding pie chart of the given JQL query. If this is the first time you hear about JQL, then it is a query language created for searching issues in Jira more efficiently, especially when your search includes multiple criteria, for example:

status=resolved OR projects="BB" OR assigne=ycs OR text ~ "yeuchism*"

You can read more information about the JQL here, or take a quick look at its cheatsheet to get the idea on how it works.

Continue reading “Leaking issues from linked Jira – Atlassian Confluence Server”

CSRF Protection Bypass in Atlassian Confluence Server

The Server version of Atlassian Confluence comes with a built-in plugin named applinks-cors, with the following declaration in file atlassian-plugin.xml:

The CorsFilter class is implemented as below:

As we can see from the code, for all requests to URLs that match the defined patterns, Access-Control-Allow-Origin (ACAO) and Access-Control-Allow-Credentials (ACAC) headers will be added to the response. The important thing to note here is that the value of the ACAO header is taken from the Origin header of our request.

Continue reading “CSRF Protection Bypass in Atlassian Confluence Server”

RCE in Telerik UI for ASP.NET AJAX (CVE-2017-9248)

Summary

Two years ago, Progress released a security advisory about a cryptographic weakness issue in Telerik UI for ASP.NET AJAX components that can result in an arbitrary file upload, allowing unauthenticated attackers to compromise vulnerable websites via uploading a webshell. CMSes that use the component, such as DotNetNuke, Sitefinity, are also affected.

While the issue is already 2 years old, and there is no doubt that most of you already knew about it (a detailed analysis, or an automated tool to exploit the issue can be found easily on the internet), it’s still one of most interesting vulnerabilities I’ve found so far.

If even a silly love story has a place on my personal blog, then why isn’t this one?

Technical details

The Text Editor component of Telerik UI for ASP.NET AJAX has a built-in File Manager feature that allows users to upload files (images, documents, …) and then insert them into their posts.

Continue reading “RCE in Telerik UI for ASP.NET AJAX (CVE-2017-9248)”