Cloud provider Atlassian has moved to patch what a security researcher describes as a backdoor in its enterprise single sign-on Crowd service.

However, the company is disputing Command Five's assertion that a second, as-yet-unpatched vulnerability remains.

Command Five's advisory states that XML DTD (document type definition) parsing gave attackers a means to “retrieve files from the target network, make HTTP requests on the target network, or carry out a Denial of Service attack.”

As the advisory explains, “XML can contain entities that are placeholders for other content”, and these could be exploited to replace a URL generated by Crowd with a path to other locations on the target network. The advisory gives various examples of possible attacks, including:

• HTTP request relay – getting the Crowd server to perform HTTP requests against itself. Since these appear to be requests from localhost, the attacker can bypass Crowd's trusted proxy and remote address validation rules.
• Remote file retrieval – an attacker could craft a URL providing access to any file accessible to the Crowd server.
• Denial of service – using nested XML entities in the DTD header of a SOAP request.

As Command Five noted, Atlassian has released upgraded software that addresses these vulnerabilities. A company spokesperson told The Register “In June, we had already identified and patched the first vulnerability (which the author labeled CVE-2013-3925) in a maintenance release of Crowd.”

What remains at issue, however, is this statement at the end of the Command Five advisory:

“Command Five is aware of at least one other critical vulnerability in Atlassian Crowd (CVE-2013-3926, CVSS 10) which remains unpatched at the time of writing (version 2.6.3). The vulnerability allows unauthenticated remote parties to take full control of any Crowd server to which they are able to make a network connection.”

Atlassian denied this, telling The Register: “We've been unable to substantiate the existence of the second alleged vulnerability, designated CVE-2013-3926. The author of the report has not contacted Atlassian, making it difficult to validate the claim.

“While we've been unable to confirm the existence of the second vulnerability, we take it seriously and have reached out to the author directly for more details. If we can confirm there is a vulnerability, a patch will be issued and all Crowd customers will be emailed details for how to update.” ®

Related stories

• Millionaire staffers pop corks at Atlassian as Oz biz raises $462m (11 December 2015)

  https://www.theregister.com/2015/12/11/atlassian_ipo/

• Writing on the wall for Australian Technology Park (12 November 2015)

  https://www.theregister.com/2015/11/12/writing_on_wall_for_australian_technology_park/

• Remote code execution vulns hit Atlassian kit (22 January 2015)

  https://www.theregister.com/2015/01/22/atlassian_vulns/

• DOCX disaster recovery: How I rescued my wife from XM-HELL (9 June 2014)

  https://www.theregister.com/2014/06/09/docx_disaster_recovery/

• Atlassian's UK-IPO plans: Smart business isn't a disaster (8 January 2014)

  https://www.theregister.com/2014/01/08/atlassians_ukipo_plans_smart_business_isnt_a_disaster/

• Application Lifecycle Management: The movers and shakers (25 November 2012)

  https://www.theregister.com/2012/11/25/alm_market_overview/

• Atlassian junks nine years of user forums (4 November 2012)

  https://www.theregister.com/2012/11/04/atlassian_puts_forums_to_sleep/

• Atlassian heading for the exit? (20 July 2012)

  https://www.theregister.com/2012/07/20/atlassian_upgrade_board/

• Atlassian warns of critical security flaw (18 May 2012)

  https://www.theregister.com/2012/05/18/atlassian_critical_confluence/