Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-15399

Contributors Macro noneFoundMessage XSS Vector

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Medium Medium
    • 3.0
    • 2.10.3
    • None

    • Server: QA-EAC 3.0-m9-r2
      OS: Mac OS X 10.5.6
      Browser: Safari 3.2.1 (5525.27.1)

      A custom message can be used for when no contributors are found, it can be used as a XSS vector: https://qa-eac.atlassian.com/confluence/display/~pdzwart/Contributors+Macro+noneFoundMessage+XSS

      Markup
      {contributors:noneFoundMessage=<iframe src="http://www.youtube.com/v/60og9gwKh1o&hl=en&fs=1&autoplay=1"></iframe>}

        1. contributors-1.2.3.jar
          67 kB

          Form Name

            [CONFSERVER-15399] Contributors Macro noneFoundMessage XSS Vector

            Matthew McVey added a comment -

            Is the version of the patch provided for Confluence 2.10.x also compatible with Confluence 2.9.2? If not, can a version that is compatible with Confluence 2.9.2 be provided? Thank you,

            Matthew McVey added a comment - Is the version of the patch provided for Confluence 2.10.x also compatible with Confluence 2.9.2? If not, can a version that is compatible with Confluence 2.9.2 be provided? Thank you,

            Igor Minar added a comment -

            thanks!

            Igor Minar added a comment - thanks!

            Anatoli added a comment -

            The version compatible with 2.10.x can be downloaded here. Please install it through Administration > Plugin Manager UI.

            Anatoli added a comment - The version compatible with 2.10.x can be downloaded here . Please install it through Administration > Plugin Manager UI.

            Anatoli added a comment -

            yep, "confluence >= 3.0"

            Since you published the exploit on our site then I would say that it is rather urgent to have a fix for 2.10.3 for all customers that can't upgrade to a major version without some planning and thorough testing, which takes time.

            We are working on the patch right now.

            Anatoli added a comment - yep, "confluence >= 3.0" Since you published the exploit on our site then I would say that it is rather urgent to have a fix for 2.10.3 for all customers that can't upgrade to a major version without some planning and thorough testing, which takes time. We are working on the patch right now.

            Igor Minar added a comment -

            I suppose that you meant "confluence >= 3.0".

            Since you published the exploit on our site then I would say that it is rather urgent to have a fix for 2.10.3 for all customers that can't upgrade to a major version without some planning and thorough testing, which takes time.

            Igor Minar added a comment - I suppose that you meant "confluence >= 3.0". Since you published the exploit on our site then I would say that it is rather urgent to have a fix for 2.10.3 for all customers that can't upgrade to a major version without some planning and thorough testing, which takes time.

            Anatoli added a comment - - edited

            Unfortunately version 1.2.3 is only compatible with confluence >= 3.0.
            We will release a patched version of 1.2.1 (the version used with 2.10.x) shortly.

            Anatoli added a comment - - edited Unfortunately version 1.2.3 is only compatible with confluence >= 3.0. We will release a patched version of 1.2.1 (the version used with 2.10.x) shortly.

            Igor Minar added a comment -

            Is version 1.2.3 of this plugin compatible with confluence 2.10.3? The plugin repository says that it isn't.

            Igor Minar added a comment - Is version 1.2.3 of this plugin compatible with confluence 2.10.3? The plugin repository says that it isn't.

            Anatoli added a comment -

            Resolving as the change has been reviewed here http://svn.atlassian.com/fisheye/cru/CR-426

            Anatoli added a comment - Resolving as the change has been reviewed here http://svn.atlassian.com/fisheye/cru/CR-426

            Anatoli added a comment -

            waiting for http://developer.atlassian.com/jira/browse/CONTRB-51 to be reviewed. Once it is done I will release the plugin and upgrade the version in confluence.

            Anatoli added a comment - waiting for http://developer.atlassian.com/jira/browse/CONTRB-51 to be reviewed. Once it is done I will release the plugin and upgrade the version in confluence.

            Per Fragemann [Atlassian] added a comment -

            Not a 3.0 specific bug, so removing the affects-version. Still needs to be fixed in 3.0 though

            Per Fragemann [Atlassian] added a comment - Not a 3.0 specific bug, so removing the affects-version. Still needs to be fixed in 3.0 though

              akazatchkov Anatoli
              pdzwart PdZ (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: