-
Bug
-
Resolution: Fixed
-
Medium
-
2.5.5
-
None
-
Build Information:
confluence.home: /opt/j2ee/domains/atlassian.com/confluence/webapps/atlassian-confluence/data
system.uptime: 5 days, 17 hours, 28 minutes, 31 seconds
system.version: 2.5.5
build.number: 811
The confluence wiki does contain a XSS possibility in the exception error page.
The user input string is NOT output encoded at following lines:
a) - - Query String: url=<script>alert(document.cookie)</script><br>
b) - javax.servlet.forward.query_string : url=<script>alert(document.cookie)</script><br>
c) - atlassian.core.seraph.original.url : /rpc/trackback?url=<script>alert(document.cookie)</script><br>
Please find below a link showing the vulnerability. Please be aware this URL is only an example for the vulnerability. The error is in the missing output encoding in the exception error page.
http://confluence.atlassian.com/rpc/trackback?url=<script>alert(document.cookie)</script>
Generated HTML source:
<p>
<b>Information:</b><br>
URL: http://j2ee.confluence.atlassian.com:8080/500page.jsp<br>
- Scheme: http<br>
- Server: j2ee.confluence.atlassian.com<br>
- Port: 8080<br>
- URI: /500page.jsp<br>
- - Context Path: <br>
- - Servlet Path: /500page.jsp<br>
- - Path Info: null<br>
- - Query String: url=<script>alert(document.cookie)</script><br>
</p>
<p>
<b>Attributes:</b><br>
- javax.servlet.error.exception : java.lang.NullPointerException<br>
- javax.servlet.forward.servlet_path : /rpc/trackback<br>
- os_securityfilter_already_filtered : true<br>
- caucho.forward : true<br>
- com.atlassian.core.filters.gzip.GzipFilter_already_filtered : true<br>
- javax.servlet.jsp.jspException : java.lang.NullPointerException<br>
- javax.servlet.error.exception_type : class java.lang.NullPointerException<br>
- javax.servlet.forward.request_uri : /rpc/trackback<br>
- javax.servlet.error.status_code : 500<br>
- javax.servlet.forward.query_string : url=<script>alert(document.cookie)</script><br>
- javax.servlet.error.request_uri : /rpc/trackback<br>
- atlassian.core.seraph.original.url : /rpc/trackback?url=<script>alert(document.cookie)</script><br>
- loginfilter.already.filtered : true<br>
- javax.servlet.forward.context_path : <br>
</p>
- duplicates
-
-
- Closed
-
[CONFSERVER-9704] Security Issue: XSS in wiki exception error page
| Workflow | Original: JAC Bug Workflow v3 [ 2898224 ] | New: CONFSERVER Bug Workflow v4 [ 2992794 ] |
| Workflow | Original: JAC Bug Workflow v2 [ 2790365 ] | New: JAC Bug Workflow v3 [ 2898224 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Workflow | Original: JAC Bug Workflow [ 2723302 ] | New: JAC Bug Workflow v2 [ 2790365 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2399478 ] | New: JAC Bug Workflow [ 2723302 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 [ 2298101 ] | New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2399478 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2233131 ] | New: Confluence Workflow - Public Facing - Restricted v5 [ 2298101 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2193975 ] | New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2233131 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 [ 1923019 ] | New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2193975 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v3 [ 1726773 ] | New: Confluence Workflow - Public Facing - Restricted v5 [ 1923019 ] |
| Workflow | Original: CONF Bug Subtask WF (TEMP) [ 1683764 ] | New: Confluence Workflow - Public Facing - Restricted v3 [ 1726773 ] |