A day in 2018, I was participating in a bug bounty program, and this target caught my attention: The reason was pretty simple: LimeSurvey is a name I had never heard of before. I thought to myself that for an uncommon software like this, it should take no more than 5 minutes to find a… Continue reading RCE – LimeSurvey (CVE-2018-7556)
Category: Disclosure
Leaking issues from linked Jira – Atlassian Confluence Server
Application Links (sometimes called “app links”) is a bundled app that allows you to set up links, share information, and provide access to certain resources or functionality across multiple Atlassian products. Linking Confluence to other applications allows you to include information from those applications in pages or blogs that you create in Confluence. For example,… Continue reading Leaking issues from linked Jira – Atlassian Confluence Server
CSRF Protection Bypass – Atlassian Confluence Server
The Server version of Atlassian Confluence comes with a built-in plugin named applinks-cors, with the following declaration in file atlassian-plugin.xml: The CorsFilter class is implemented as below: As we can see from the code, for all requests to URLs that match the defined patterns, Access-Control-Allow-Origin (ACAO) and Access-Control-Allow-Credentials (ACAC) headers will be added to the… Continue reading CSRF Protection Bypass – Atlassian Confluence Server
RCE – Telerik UI for ASP.NET AJAX (CVE-2017-9248)
Two years ago, Progress released a security advisory about a cryptographic weakness issue in Telerik UI for ASP.NET AJAX components that can result in an arbitrary file upload, allowing unauthenticated attackers to compromise vulnerable websites via uploading a webshell. CMSes that use the component, such as DotNetNuke, Sitefinity, are also affected. While the issue is… Continue reading RCE – Telerik UI for ASP.NET AJAX (CVE-2017-9248)
Finding vulnerabilities in Atlassian products
An internal talk of mine that was first presented in 2019.