Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-9350

Numerous XSS Type 2 vulnerabilities in macros bundled with Confluence

      'd like to report critical vulnerabilities in 3 of your macros - Column, Image, Block and Code macros.

      The vulnerabilities are classified as XSS Type 2 (stored) and the details with example exploits are in the pdfs attached.

      Because of similarity of the vulnerabilities assume that it is more than likely that more of your, as well as contributed plugins suffer from exactly the same problem.

      The fix for all the macros is very simple, just make sure that all the user input (should it be input via body of the macro, or macro attributes) that gets injected into html is encoded or escaped.

      No user input should be allowed to be interpreted as a html element or attribute (or css in the case of the Code macro). Some suggest sanitizing the input by replacing characters like "/\>< with a space or something similar, but such a approach is error-prone and can break usability of your products, so I suggest that you stick with encoding the output into html entities when creating the output. Atlassian has multiple utility methods that can be used for this. Check out GeneralUtil for example. (http://docs.atlassian.com/com/atlassian/confluence/atlassian-confluence/latest/com/atlassian/confluence/util/GeneralUtil.html)

      Every single vulnerability should be rated as critical, because these macros can be exploited by users having write access to wiki pages, or even by users having access to creating comments. Possible exploits can lead to stealing protected information and user passwords, changing user profiles, vandalizing wiki content or even DoS attacks.

      BTW I looked at your JIRA issue tracker, but there is no way to submit bug reports like this without exposing them to the world. Your documentation suggests, creating an JIRA issue and setting the visibility to developers and reporter only, but this feature is not available at jira.atlassian.com

      Just keep in mind that the macros that I mentioned in this tickets are only 4 out of 5 macros that I tried to break. Due to time constraints I didn't test the rest of the macros, but I hope that you'll do so because I'm sure that there are more vulnerabilities in those macros.

      btw the Dynamic Task macro v2 (the new one) is also vulnerable, I reported that to Jonathan Nolen

      I also found multiple vulnerabilities in Create Page macro from Adaptavist. I reported the issue to Alain Moran via email.

        1. BlockMacro.pdf
          13 kB
          Matt Ryall
        2. CodeMacro.pdf
          16 kB
          Matt Ryall
        3. ImageMacro.pdf
          13 kB
          Matt Ryall
        4. SelectionMacro.pdf
          13 kB
          Matt Ryall

            [CONFSERVER-9350] Numerous XSS Type 2 vulnerabilities in macros bundled with Confluence

            Agnes Ro added a comment -

            The layout plugin (which has the section and column macros) has been fixed.

            Agnes Ro added a comment - The layout plugin (which has the section and column macros) has been fixed.

            what is the story with the section macro? does it not have to get fixed? or is the fix broken and the issue should really be reopened?

            Per Fragemann [Atlassian] added a comment - what is the story with the section macro? does it not have to get fixed? or is the fix broken and the issue should really be reopened?

            Paul Curren added a comment - - edited

            Most of the fixes necessary were made in atlassian-renderer as -

            RNDR-17 Image url is created twice for non external images
            RNDR-16 HTML escaping Image thumbnail parameters twice is unnecessary
            RNDR-15 UrlUtils.escapeSpecialCharacters should be moved to HtmlEscaper
            RNDR-14 Object markup should use double quotes for attribute values
            RNDR-13 Object parameters are not HTML escaped
            RNDR-12 UrlUtils.escapeSpecialCharacters doesn't handle quotes correctly
            RNDR-11 Panel /Color macro parameters are not validated Unassigned
            RNDR-10 Image parameters should use a whitelist Unassigned
            RNDR-9 Move HTML escaping code outside of HtmlEscapeRendererComponent
            RNDR-8 Image parameters are not HTML escaped
            RNDR-2 Unit tests fail on JDK16

            Paul Curren added a comment - - edited Most of the fixes necessary were made in atlassian-renderer as - RNDR-17 Image url is created twice for non external images RNDR-16 HTML escaping Image thumbnail parameters twice is unnecessary RNDR-15 UrlUtils.escapeSpecialCharacters should be moved to HtmlEscaper RNDR-14 Object markup should use double quotes for attribute values RNDR-13 Object parameters are not HTML escaped RNDR-12 UrlUtils.escapeSpecialCharacters doesn't handle quotes correctly RNDR-11 Panel /Color macro parameters are not validated Unassigned RNDR-10 Image parameters should use a whitelist Unassigned RNDR-9 Move HTML escaping code outside of HtmlEscapeRendererComponent RNDR-8 Image parameters are not HTML escaped RNDR-2 Unit tests fail on JDK16

              agnes@atlassian.com Agnes Ro
              ivan@atlassian.com Ivan Benko [Atlassian]
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: