{"id":16615,"date":"2021-07-08T10:52:44","date_gmt":"2021-07-08T08:52:44","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2019-0020\/"},"modified":"2021-07-19T14:11:39","modified_gmt":"2021-07-19T12:11:39","slug":"usd-2019-0020","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2019-0020\/","title":{"rendered":"usd-2019-0020"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

usd-2019-0020 | Bitbucket\/v5.10.1<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2019-0020<\/span>
CVE Number<\/strong>: N\/A<\/span>
Affected Product<\/strong>: Bitbucket<\/span>
Affected Version<\/strong>: v5.10.1<\/span>
Vulnerability Type<\/strong>: Sensitive Data in URL<\/span>
Security Risk<\/strong>: Low<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/www.atlassian.com<\/a>
Vendor Status<\/strong>: Not fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

Rather than directly attacking crypto, attackers steal keys, execute man-in-the-middle attacks or steal clear text data of the server while in transit or from the user\u2019s client e.g. browser. A manual attack is generally required.<\/span><\/p>\n

<\/span><\/p>\n

Proof of Concept\u00a0<\/h3>\n

If an user changes his profile picture, the CSRF token is transfered inside the URL. The CSRF token does not change after that and is valid for the whole session.<\/p>\n

Request:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]POST \/stash-kons\/users\/alice\/avatar.png?atl_token=44df79fc27cf40a3ca9df08686400f095f242d92 HTTP\/1.1
\nHost: hostname
\nConnection: close
\nContent-Length: 27979
\nAccept: *\/*
\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36
\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8
\nAccept-Encoding: gzip, deflate
\nAccept-Language: en-US,en;q=0.9
\nCookie: BITBUCKETSESSIONID=5DD59366F93308291C8EC6C0BCBF4184<\/p>\n

[\u2026]<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

\n
\n

Fix<\/h3>\n

Send the CSRF token as POST parameter.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n