URL
      http://localhost:8080/dashboard/doconfigurerssfeed.action

      The RSS feed creation process is vulnerable to XSS attacks. It is possible to inject javascript code into the page by changing the types field to:

      types=>"><script>alert(document.cookie)</script>

      complete example from the testenvironment:
      http://localhost:8080/dashboard/doconfigurerssfeed.action?types=page&types=blogpost&types=mail&types=comment&types=>"><script>alert(document.cookie)</script>&sort=modified&showContent=true&showDiff=true&spaces=conf_global&labelString=&rssType=atom&maxResults=10&timeSpan=5&publicFeed=false&title=Confluence+RSS+Feed

      (NOTE This only renders correctly in IE, tested in IE 7.0, firefox does not execute the code)

      IMPORTANT: please confirm receipt of this notification! Depending on the response, we may report the
      vulnerability to publicly available security forums such as CERT (www.cert.org). Our policy is to give
      you at least 30 days grace period prior to any public disclosure.

        1. ConfigureRssFeedAction.class
          12 kB
          Brian Nguyen
        2. ConfigureRssFeedAction.class-2.7.3
          12 kB
          Brian Nguyen
        3. ConfigureRssFeedAction.class-2.8.2
          12 kB
          Brian Nguyen
        4. ConfigureRssFeedAction.class-2.7.3-java14
          12 kB
          Brian Nguyen
        5. ConfigureRssFeedAction.class-2.8.2-java14
          12 kB
          Brian Nguyen

            [CONFSERVER-13042] XSS in RSS feed creation

            I attached a patched class file for versions 2.8.2 and 2.7.3 of Confluence. Please refer to the installation instructions on how to install this patch.

            The subdirectories for the class file are com/atlassian/confluence/dashboard/actions. You need to remove the "-2.7.3" from the class file before copying it.

            Brian Nguyen (Inactive) added a comment - I attached a patched class file for versions 2.8.2 and 2.7.3 of Confluence. Please refer to the installation instructions on how to install this patch. The subdirectories for the class file are com/atlassian/confluence/dashboard/actions . You need to remove the "-2.7.3" from the class file before copying it.

            Attaching a patch for confluence 2.7.3

            Brian Nguyen (Inactive) added a comment - Attaching a patch for confluence 2.7.3

            No automated tests written for this. Manually tested in IE6, IE7, FF2, FF3.

            Mark Hrynczak (Inactive) added a comment - No automated tests written for this. Manually tested in IE6, IE7, FF2, FF3.

            Attached is the patch for Confluence 2.8.2. To apply the patch

            1. Download the patch
            2. Place the file into /confluence/WEB-INF/classes/com/atlassian/confluence/dashboard/actions
              1. Create the folder if it does not exist
            3. Restart Confluence

            Brian Nguyen (Inactive) added a comment - Attached is the patch for Confluence 2.8.2. To apply the patch Download the patch Place the file into /confluence/WEB-INF/classes/com/atlassian/confluence/dashboard/actions Create the folder if it does not exist Restart Confluence

            This has been fixed for the upcoming 2.9.2 and 2.10 releases

            Brian Nguyen (Inactive) added a comment - This has been fixed for the upcoming 2.9.2 and 2.10 releases

            Thomas

            Thanks for the reports, I will be setting the priority to Critical as the issues get scheduled. We wont be releasing 2.9.2 until they are all addressed.

            Cheers
            Matt

            m@ (Inactive) added a comment - Thomas Thanks for the reports, I will be setting the priority to Critical as the issues get scheduled. We wont be releasing 2.9.2 until they are all addressed. Cheers Matt

              bnguyen Brian Nguyen (Inactive)
              9454181e1678 Thomas Jaehnel
              Affected customers:
              0 This affects my team
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: