Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-15402

XSS vulnerability can be exploited with the viewppt macro

XMLWordPrintable

      Upload a file test.ppt

      Use markup:

      {viewppt:test.ppt|height=<script>alert("xss")</script>|width=<script>alert("xss")</script>}

      The scripts will be executed when the page is loaded.

          Form Name

            [CONFSERVER-15402] XSS vulnerability can be exploited with the viewppt macro

            Mark Nye added a comment -

            Could someone please provide a fixed version of the plugin that can be installed on 2.10.3?

            Mark Nye added a comment - Could someone please provide a fixed version of the plugin that can be installed on 2.10.3?

            SteveS added a comment -

            I am applying patch to my 2.10.3 instance and I notice this issue is in the page

            http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2009-06-01

            Correct me if I'm wrong but the viewppt macro only exist in version 3.0.

            Also and most important : does I have something to do for my version 2.10.3 ?

            SteveS added a comment - I am applying patch to my 2.10.3 instance and I notice this issue is in the page http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2009-06-01 Correct me if I'm wrong but the viewppt macro only exist in version 3.0. Also and most important : does I have something to do for my version 2.10.3 ?

            PdZ (Inactive) added a comment -

            Happyness for all.

            PdZ (Inactive) added a comment - Happyness for all.

            m@ (Inactive) added a comment -

            Shouldn't all this be handled by Anti-Xss mode? If so, all this stuff needs to be htmlSafe'd.

            It was returning HTML from a method with parts of it not properly encoded.

            m@ (Inactive) added a comment - Shouldn't all this be handled by Anti-Xss mode? If so, all this stuff needs to be htmlSafe'd. It was returning HTML from a method with parts of it not properly encoded.

            Brian Nguyen (Inactive) added a comment -

            Shouldn't all this be handled by Anti-Xss mode? If so, all this stuff needs to be htmlSafe'd.

            Brian Nguyen (Inactive) added a comment - Shouldn't all this be handled by Anti-Xss mode? If so, all this stuff needs to be htmlSafe'd.

            RyanA added a comment -

            Good point. I'll fix it real fast.

            RyanA added a comment - Good point. I'll fix it real fast.

            Chris Broadfoot [Atlassian] added a comment -

            Just had a quick look at this. height and width parameters should be htmlEncoded, not urlEncoded. Which may prevent width=100% from working as expected.

            Chris Broadfoot [Atlassian] added a comment - Just had a quick look at this. height and width parameters should be htmlEncoded, not urlEncoded. Which may prevent width=100% from working as expected.

            m@ (Inactive) added a comment - - edited

            PptConverter:

                        return "<img width=\"" + width + "\" height=\"" + height
                    + "\" src=\"" + contextPath
                    + "/plugins/servlet/pptslideservlet?slide=" + slideNum
                    + "&pageId=" + pageId + "&attachment="
                    + GeneralUtil.urlEncode(attachment) + "&attachmentId="
                    + obj.getId() + "\" />";

            m@ (Inactive) added a comment - - edited PptConverter: return "<img width=\" " + width + " \ " height=\" " + height + "\" src=\"" + contextPath + "/plugins/servlet/pptslideservlet?slide=" + slideNum + "&pageId=" + pageId + "&attachment=" + GeneralUtil.urlEncode(attachment) + "&attachmentId=" + obj.getId() + "\" />";

              mjensen m@ (Inactive)
              mhrynczak Mark Hrynczak (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: