usd-2019-0020 | Bitbucket/v5.10.1


Advisory ID: usd-2019-0020
CVE Number: N/A
Affected Product: Bitbucket
Affected Version: v5.10.1
Vulnerability Type: Sensitive Data in URL
Security Risk: Low
Vendor URL: https://www.atlassian.com
Vendor Status: Not fixed

Description

Rather than directly attacking crypto, attackers steal keys, execute man-in-the-middle attacks or steal clear text data of the server while in transit or from the user’s client e.g. browser. A manual attack is generally required.

Proof of Concept 

If an user changes his profile picture, the CSRF token is transfered inside the URL. The CSRF token does not change after that and is valid for the whole session.

Request:

POST /stash-kons/users/alice/avatar.png?atl_token=44df79fc27cf40a3ca9df08686400f095f242d92 HTTP/1.1
Host: hostname
Connection: close
Content-Length: 27979
Accept: */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: BITBUCKETSESSIONID=5DD59366F93308291C8EC6C0BCBF4184

[…]

Fix

Send the CSRF token as POST parameter.

Timeline

  • 2019-03-28 Vulnerability securily submitted to security@atlassian.com
  • 2019-04-11 Second contact attempt via contact formular
  • 2019-05-23 Atlassian Security Team agreed with the publishment of the advisory
  • 2019-07-31 Security advisory released

Credits

This security vulnerabilities were found by Tobias Neitzel and Julian Frey of usd AG.