Atlassian Confluence Server-Side-Request-Forgery Scanner

Atlassian Confluence is a collaborative software used by corporations and businesses around the globe for documentation, sharing ideas, and organizing projects. It's typically found in enterprise environments, where it's relied upon for its ease-of-use and robust features. The software is heavily used by project management teams, developers, and IT professionals for enhancing productivity through real-time collaboration. Confluence integrates seamlessly with other Atlassian products, such as Jira, to provide a comprehensive team management solution. Public and private sector organizations often prefer Confluence for its adaptability to various business processes. With its powerful plugin architecture, it allows for expansion of its capabilities to suit specific organizational needs.

The Server-Side Request Forgery (SSRF) vulnerability arises when the Confluence XSLT macro allows attackers to misuse the web server to make requests to unintended destinations. This could lead to unauthorized access to internal systems, or potentially exposing sensitive internal information. Attackers exploit these vulnerabilities by leveraging functions of the XSLT macro feature, crafting a request that instructs the server to connect to a URL of their choice. Once exploited, it might enable attackers to exfiltrate data or probe for further vulnerabilities within the internal network. Protecting against SSRF is crucial as it mitigates risks associated with unauthorized third-party access and information leakage.

The vulnerability details focus on exploiting the XSLT macro within the Confluence application by sending specially crafted payloads to the application's endpoints. Routers, proxies, and firewalls could become liabilities if not properly configured, as they might not differentiate between legitimate and malicious XSLT macro requests. Parameters such as "location" or "xml" within the macro can be manipulated to achieve forced requests via HTTP services. Successful exploitation demands the attacker send a crafted post request via the API, prompting the backend to resolve a remote payload, which is often a redirected interaction with an internal resource. Vulnerable endpoints include "/rest/tinymce/1/macro/preview" and "/rest/api/content/macro/preview".

Exploitation of the SSRF vulnerability can have several severe impacts, including enabling attackers to perform reconnaissance on internal network infrastructures. Presence of active SSRF vulnerabilities could facilitate bypassing traditional security controls like firewalls and Virtual Private Networks (VPNs). It might lead to leakages of internal IP addresses, software versions, and database structures. Attackers can gain direct access to critical infrastructure, increasing the risk of sensitive information disclosure. Worse, hostile actors can initiate further exploitation steps, leveraging compromised internal web application resources and perpetuating Structured Query Language (SQL) injections or Remote Code Execution (RCE).

REFERENCES

• https://jira.atlassian.com/browse/CONFSERVER-101489