-
Bug
-
Resolution: Fixed
-
High
-
2.7.3
-
None
-
Debian 4.0
java version "1.5.0_14"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_14-b03)
Java HotSpot(TM) Client VM (build 1.5.0_14-b03, mixed mode, sharing)
Tomcat 5.5
Confluence still uses DWR 1.1.4. This version contains a Cross Site Scripting Vulnerability in the handling of error messages. Example
/confluence/dwr/exec/AjaxUserProfileEditor.getPreferenceUserEditWysiwyg.dwr?callCount=1&c0-scriptName=AjaxUserProfileEditor&c0-methodName=getPreferenceUsertest&c0-id=');</script>a<script>Evil_Script</script>
Maybe this bug is already known, getahead.org says that "DWR version 2.0.1 and before contained 2 XSS vulnerabilities". Perhaps this is one of them.
Kind regards
Bjoern Froebe
[CONFSERVER-11808] XSS in DWR
Unable to reproduce error with example URL above after 2.9.2 patch applied (was able to reproduce before patch applied)
DWR was upgraded to 2.0.3.
Other changes include a couple of (unrelated to DWR) classes that were incorrectly using the Logger provided by DWR and not log4j. Looks like a mistake with the "automatic" imports.
I have successfully upgraded DWR to 2.0.3 and the original XSS issue is no longer reproducible.
I am currently experimenting with an upgrade to 2.0.x. So far so good.
Chris Broadfoot [Atlassian]
added a comment - This is not a trivial issue to fix, and there is a distinct lack of information surrounding DWR and what has changed between versions. I tried quickly to upgrade Confluence to DWR 2.0.5 and all DWR calls seemed to break. Looking quickly at some sites that use DWR 2.0.x, this issue might have been fixed.
Perhaps it's better to wait until we eliminate DWR from Confluence.
Chris Broadfoot [Atlassian]
added a comment - This is not a trivial issue to fix, and there is a distinct lack of information surrounding DWR and what has changed between versions. I tried quickly to upgrade Confluence to DWR 2.0.5 and all DWR calls seemed to break. Looking quickly at some sites that use DWR 2.0.x, this issue might have been fixed.
Perhaps it's better to wait until we eliminate DWR from Confluence. Took a while for me to get this to work, here's a URL to reproduce:
/dwr/exec/?callCount=1&c0-id=%27);%3C/script%3E%3Cscript%3Ealert(%22xss%22);d(%27
Chris Broadfoot [Atlassian]
added a comment - - edited Took a while for me to get this to work, here's a URL to reproduce:
/dwr/exec/?callCount=1&c0-id=%27);%3C/script%3E%3Cscript%3Ealert(%22xss%22);d(%27 
The patches work by upgrading DWR to 2.0.3.
The main core of the DWR functionality is provided by a resource called engine.js, and the caching headers have changed.
If you install this patch you might find problems changing tabs on the editor. This is caused by a cached version of the old engine.js file. You will need to clear the browser's cache to rectify this problem.