/
Security Advisory WSO2-2017-0218
com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links' is unknown.

Security Advisory WSO2-2017-0218

Jun 22, 2017

Published: 06-03-2017



AFFECTED PRODUCTS

WSO2 API Manager 2.1.0



OVERVIEW 

WSO2 API Manager Publisher and Store are vulnerable to a possible insider attack.



DESCRIPTION

When a reverse proxy is deployed in front of API Store/ API Publisher, it is required to expose /registry as well from the reverse proxy to view API icons/images. Due to this, an attacker can access other registry resources which are exposed from /registry.



IMPACT

An attacker with access to API Manager Publisher/ Store is able to browse registry once the registry resource paths are found from a local API Manager instance.



SOLUTION

 

Expose only the required registry resources other than exposing whole /registry from the reverse proxy.

Required registry resource path : /registry/resource/_system/governance/apimgt/applicationdata/icons/

Example:

Nginx server configurations

For API Publisher, the registry path below should be exposed in reverse proxy configurations.

       location ~ ^/apimanager/publisher/(.*)registry/resource/_system/governance/apimgt/applicationdata/icons/(.*)$ {
           index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://127.0.0.1:9443/$1registry/resource/_system/governance/apimgt/applicationdata/icons/$2;
       }

       location ~ ^/apimanager/publisher/(.*)registry/resource/_system/governance/apimgt/applicationdata/icons/(.*)$ {
           index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://127.0.0.1:9443/$1registry/resource/_system/governance/apimgt/applicationdata/icons/$2;
       }

 

For API Store, registry path below should be exposed in reverse proxy configurations.



      location ~ ^/apimanager/store/(.*)registry/resource/_system/governance/apimgt/applicationdata/icons/(.*)$ {
           index index.html;
          proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_pass https://127.0.0.1:9443/$1registry/resource/_system/governance/apimgt/applicationdata/icons/$2;
       }

      location ~ ^/apimanager/store/(.*)registry/resource/_system/governance/apimgt/applicationdata/icons/(.*)$ {
           index index.html;
          proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_pass https://127.0.0.1:9443/$1registry/resource/_system/governance/apimgt/applicationdata/icons/$2;
       }

 

NOTES

If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.



com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links2' is unknown.