Application Details
All versions of Confluence Data Center and Server are affected by this vulnerability.
Vulnerability
Atlassian Confluence Data Center and Server could allow a remote attacker to bypass security restrictions, caused by an improper authorisation vulnerability.
Identification
This vulnerability could potentially allow unauthenticated attackers with network access to the Confluence Instance. Allowing them to restore the database of the Confluence instance, and eventually execute arbitrary system commands.
POST /json/setup-restore.action?synchronous=true
PAYLOAD -
------WebKitFormBoundaryT3yekvo0rGaL9QR7
Content-Disposition: form-data; name="buildIndex"
true
------WebKitFormBoundaryT3yekvo0rGaL9QR7
Content-Disposition: form-data; name="file";filename="jydrmjddgw.zip"
jydrmjddgw
------WebKitFormBoundaryT3yekvo0rGaL9QR7
Content-Disposition: form-data; name="edit"
Upload and import
------WebKitFormBoundaryT3yekvo0rGaL9QR7--
Detection
By turning this into a traffic file and matching rule, we are able to detect attempts to execute arbitrary system commands.
Coverage
Idappcom have created signature 8024362 along with a traffic file for this vulnerability.
References
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional