

Atlassian Crowd unpatched 'symmetric backdoor' remote XML exploit [pdf] - Cogito
http://www.commandfive.com/papers/C5_TA_2013_3925_AtlassianCrowd.pdf

======
Cogito
This is a very serious remote exploitation of the Crowd service, looks like
version 2.6.3 is the only fully patched and safe version.

Abstract:

This advisory examines a critical vulnerability in Atlassian Crowd a software
package marketed as a turnkey solution for enterprise scale single sign­on and
secure user authentication. The vulnerability is remotely accessible, does not
require authentication, and is easily exploited. Recommendations for securing
affected systems are provided and special mention is made of an unpatched
weakness in the product that could be classified as a symmetric backdoor.

------
iancarroll
I wouldn't call it unpatched, there is a patch out...

~~~
Cogito
From the pdf, it looks like there is no patch available for versions <= 6.2.2

From my experience the time to turn-around a product upgrade is typically a
lot longer than a security patch. Furthermore, the way the licensing works
means that some users may not be able to upgrade; users who are out of their
maintenance period need a security patch, not an upgrade.

