addition signup path + template fix

2022-07-23 18:37:43 +05:30 · 2022-07-23 18:37:43 +05:30 · 7379d35162
parent a84603a8e9
commit 7379d35162
2 changed files with 54 additions and 23 deletions
--- a/vulnerabilities/jira/jira-service-desk-signup.yaml
+++ b/vulnerabilities/jira/jira-service-desk-signup.yaml
@ -1,23 +0,0 @@
-id: jira-service-desk-signup
-
-info:
-  name: Jira Service Desk Signup
-  author: TechbrunchFR
-  severity: medium
-  tags: jira,atlassian,service
-
-requests:
-  - method: POST
-    path:
-      - "{{BaseURL}}/servicedesk/customer/user/signup"
-    headers:
-      Content-Type: application/json
-    body: '{"email":"invalid","signUpContext":{},"secondaryEmail":"","usingNewUi":true}'
-    matchers-condition: and
-    matchers:
-      - type: word
-        words:
-          - "signup.validation.errors"
-      - type: status
-        status:
-          - 400
--- a/vulnerabilities/jira/jira-servicedesk-signup.yaml
+++ b/vulnerabilities/jira/jira-servicedesk-signup.yaml
@ -0,0 +1,54 @@
+id: jira-servicedesk-signup
+
+info:
+  name: Atlassian Jira Service Desk Signup
+  author: TechbrunchFR
+  severity: medium
+  description:
+    This instance of Atlassian JIRA is misconfigured to allow an attacker to sign up (create a new account) just by navigating to the signup page that is accessible at the URL /servicedesk/customer/user/signup. After the attacker has created a new account it's possible for him/her to access the support portal.
+  reference:
+    - https://www.acunetix.com/vulnerabilities/web/atlassian-jira-servicedesk-misconfiguration/
+  metadata:
+    shodan-query: http.component:"Atlassian Jira"
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cwe-id: CWE-287
+  tags: atlassian,servicedesk,jira,confluence
+
+requests:
+  - raw:
+      - |
+        GET /servicedesk/customer/user/signup HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /servicedesk/customer/user/signup HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+        Origin: {{RootURL}}
+        Referer: {{RootURL}}/servicedesk/customer/user/signup
+
+        {"email":"","fullname":"{{randstr}}","password":"","captcha":"","secondaryEmail":""}
+
+      - |
+        GET /secure/Signup!default.jspa HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /secure/Signup.jspa HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Origin: {{RootURL}}
+        Referer: {{RootURL}}/secure/Signup.jspa
+
+        email=&fullname={{randstr}}&username=&password=&Signup=Sign+up
+
+    cookie-reuse: true
+    stop-at-first-match: true
+    matchers:
+      - type: word
+        words:
+          - 'signup.validation.errors'
+          - 'signup-username-error'
+        condition: or