Atlassian plugs XML parsing vulnerability

Denies reports of a second vuln

Protecting against web application threats using SSL

Cloud provider Atlassian has moved to patch what a security researcher describes as a backdoor in its enterprise single sign-on Crowd service.

However, the company is disputing Command Five's assertion that a second, as-yet-unpatched vulnerability remains.

Command Five's advisory states that XML DTD (document type definition) parsing gave attackers a means to “retrieve files from the target network, make HTTP requests on the target network, or carry out a Denial of Service attack.”

As the advisory explains, “XML can contain entities that are placeholders for other content”, and these could be exploited to replace a URL generated by Crowd with a path to other locations on the target network. The advisory gives various examples of possible attacks, including:

  • HTTP request relay – getting the Crowd server to perform HTTP requests against itself. Since these appear to be requests from localhost, the attacker can bypass Crowd's trusted proxy and remote address validation rules.
  • Remote file retrieval – an attacker could craft a URL providing access to any file accessible to the Crowd server.
  • Denial of service – using nested XML entities in the DTD header of a SOAP request.

As Command Five noted, Atlassian has released upgraded software that addresses these vulnerabilities. A company spokesperson told The Register “In June, we had already identified and patched the first vulnerability (which the author labeled CVE-2013-3925) in a maintenance release of Crowd.”

What remains at issue, however, is this statement at the end of the Command Five advisory:

“Command Five is aware of at least one other critical vulnerability in Atlassian Crowd (CVE-2013-3926, CVSS 10) which remains unpatched at the time of writing (version 2.6.3). The vulnerability allows unauthenticated remote parties to take full control of any Crowd server to which they are able to make a network connection.”

Atlassian denied this, telling The Register: “We've been unable to substantiate the existence of the second alleged vulnerability, designated CVE-2013-3926. The author of the report has not contacted Atlassian, making it difficult to validate the claim.

“While we've been unable to confirm the existence of the second vulnerability, we take it seriously and have reached out to the author directly for more details. If we can confirm there is a vulnerability, a patch will be issued and all Crowd customers will be emailed details for how to update.” ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.