Reported Vulnerability in CERT Secure Coding Standards Website
Hi, it's Will. Recently, a blog author reported that the CERT® Secure Coding Standards website, which runs on Atlassian Confluence, contained a SQL injection vulnerability. After analyzing the report and discussing it with the Confluence vendor, we have concluded that the behavior described is not a vulnerability.
On October 24, 2008, rvdh posted an entry on the 0x000000 blog that implied that the CERT Secure Coding website contained a SQL injection vulnerability. This website runs Atlassian Confluence, which is used by multiple organizations. If there were a publicly known SQL injection vulnerability in the Confluence software, it would have a pretty widespread effect on these organizations, CERT included. This prompted us to investigate the issue.
When performing a specific query to the Confluence software, an error and detailed stack trace is displayed to the user. From this error, rvdh draws the following conclusion: "^ Oops, besides this hideous blob of intelligence it also let us modify the SQL query. Finally something really interesing to discuss at those cocktail parties or is it?"
It is true that the stack trace is ugly, but that's about as far as the flaw goes. The malformed query does not make it to the SQL part of the Confluence code. If you look at the stack trace, you will notice that the error is generated by the QueryParser component of Apache Lucene. It's not clear where rvdh draws the conclusion that you can modify the SQL query. Sure, you have control over what values might be used to perform the search, but that is expected.
Here is the response from Atlassian, which is the vendor that produces Confluence:
The proposed "attack" supplies the server with an invalid search query that causes Confluence to display an error message. This is a bug only insofar as we don't present a better error message.
- The query in question is performed against the Lucene index. It is never passed anywhere near SQL, so it can not be used for SQL injection Lucene queries are read-only, so it is impossible for a search query to modify the index in any way, however constructed
- Lucene queries are constructed programatically, so there is no way for the user-supplied portion of the query can effect the query's security constraints and view data that could not otherwise be found in a search by that user
- As an application that is mostly used in intranets, Confluence's default error page is very wordy. Customers who want to limit the amount of information leaked during system errors can do so by editing their 500.jsp file to remove the backtrace and error information.
- Even if this were an SQL query, Confluence uses standard prepared-statement-style parameter insertion to generate SQL queries. As such it is highly resistant to SQL injection attacks.
For more information about Confluence security practices, and a list of all recorded Confluence security advisories, please see this page: