Posted on by Secure Codingin
Hi, it's Will. Recently, a blog author reported that the CERT® Secure Coding Standards website, which runs on Atlassian Confluence, contained a SQL injection vulnerability. After analyzing the report and discussing it with the Confluence vendor, we have concluded that the behavior described is not a vulnerability.
On October 24, 2008, rvdh posted an entry on the 0x000000 blog that implied that the CERT Secure Coding website contained a SQL injection vulnerability. This website runs Atlassian Confluence, which is used by multiple organizations. If there were a publicly known SQL injection vulnerability in the Confluence software, it would have a pretty widespread effect on these organizations, CERT included. This prompted us to investigate the issue.
When performing a specific query to the Confluence software, an error and detailed stack trace is displayed to the user. From this error, rvdh draws the following conclusion: "^ Oops, besides this hideous blob of intelligence it also let us modify the SQL query. Finally something really interesing to discuss at those cocktail parties or is it?"
It is true that the stack trace is ugly, but that's about as far as the flaw goes. The malformed query does not make it to the SQL part of the Confluence code. If you look at the stack trace, you will notice that the error is generated by the QueryParser component of Apache Lucene. It's not clear where rvdh draws the conclusion that you can modify the SQL query. Sure, you have control over what values might be used to perform the search, but that is expected.
Here is the response from Atlassian, which is the vendor that produces Confluence:
The proposed "attack" supplies the server with an invalid search query that causes Confluence to display an error message. This is a bug only insofar as we don't present a better error message.
For more information about Confluence security practices, and a list of all recorded Confluence security advisories, please see this page: