Details
-
Bug
-
Resolution: Fixed
-
Medium
-
2.5.4
-
None
Description
Email sent from Igor:
The problem:
The input for space name and key is not being validated properly. I created a JIRA for lacking length validation (
CONF-8894) and later on I noticed that any characters in the input for space name are allowed.Combine that with another batch of bugs - space name output is not being sanitized in:
- breadcrumb
- dashboard
- browse space -> advanced
- spaceadmin - remove space confirmation page
- Site Search page
- some other places?
And you get a recipe for XSS attack that can effect the whole confluence instance not just one space.
The result:
Anyone with create space privileges or any space admin (even without space creation privileges) can create/rename the space to something like:
<img src="/wikis/images/icons/print_16.gif" onload="alert('xss')"/>This will invoke a javascript in a user's browser when this user views the space, dashboard, search page or potentially other pages. This script could do malicious things like e.g. assign site admin privileges to the malicious user when the exploited page is viewed by a site admin, change user profile, post comments on behalf of the victim, etc..
Attachments
Issue Links
- is duplicated by
-
CONFSERVER-8951 XSS vulnerability in app/spaces/editspace.action
- Closed