-
Bug
-
Resolution: Fixed
-
High
-
2.5.7
-
None
'd like to report critical vulnerabilities in 3 of your macros - Column, Image, Block and Code macros.
The vulnerabilities are classified as XSS Type 2 (stored) and the details with example exploits are in the pdfs attached.
Because of similarity of the vulnerabilities assume that it is more than likely that more of your, as well as contributed plugins suffer from exactly the same problem.
The fix for all the macros is very simple, just make sure that all the user input (should it be input via body of the macro, or macro attributes) that gets injected into html is encoded or escaped.
No user input should be allowed to be interpreted as a html element or attribute (or css in the case of the Code macro). Some suggest sanitizing the input by replacing characters like "/\>< with a space or something similar, but such a approach is error-prone and can break usability of your products, so I suggest that you stick with encoding the output into html entities when creating the output. Atlassian has multiple utility methods that can be used for this. Check out GeneralUtil for example. (http://docs.atlassian.com/com/atlassian/confluence/atlassian-confluence/latest/com/atlassian/confluence/util/GeneralUtil.html)
Every single vulnerability should be rated as critical, because these macros can be exploited by users having write access to wiki pages, or even by users having access to creating comments. Possible exploits can lead to stealing protected information and user passwords, changing user profiles, vandalizing wiki content or even DoS attacks.
BTW I looked at your JIRA issue tracker, but there is no way to submit bug reports like this without exposing them to the world. Your documentation suggests, creating an JIRA issue and setting the visibility to developers and reporter only, but this feature is not available at jira.atlassian.com
Just keep in mind that the macros that I mentioned in this tickets are only 4 out of 5 macros that I tried to break. Due to time constraints I didn't test the rest of the macros, but I hope that you'll do so because I'm sure that there are more vulnerabilities in those macros.
btw the Dynamic Task macro v2 (the new one) is also vulnerable, I reported that to Jonathan Nolen
I also found multiple vulnerabilities in Create Page macro from Adaptavist. I reported the issue to Alain Moran via email.
[CONFSERVER-9350] Numerous XSS Type 2 vulnerabilities in macros bundled with Confluence
Per Fragemann [Atlassian]
added a comment - what is the story with the section macro? does it not have to get fixed? or is the fix broken and the issue should really be reopened?
Per Fragemann [Atlassian]
added a comment - what is the story with the section macro? does it not have to get fixed? or is the fix broken and the issue should really be reopened? Most of the fixes necessary were made in atlassian-renderer as -
RNDR-17 Image url is created twice for non external images
RNDR-16 HTML escaping Image thumbnail parameters twice is unnecessary
RNDR-15 UrlUtils.escapeSpecialCharacters should be moved to HtmlEscaper
RNDR-14 Object markup should use double quotes for attribute values
RNDR-13 Object parameters are not HTML escaped
RNDR-12 UrlUtils.escapeSpecialCharacters doesn't handle quotes correctly
RNDR-11 Panel /Color macro parameters are not validated Unassigned
RNDR-10 Image parameters should use a whitelist Unassigned
RNDR-9 Move HTML escaping code outside of HtmlEscapeRendererComponent
RNDR-8 Image parameters are not HTML escaped
RNDR-2 Unit tests fail on JDK16
The layout plugin (which has the section and column macros) has been fixed.