Uploaded image for project: 'Confluence Cloud'
  1. Confluence Cloud
  2. CONFCLOUD-54069

Fix XSS vulnerabilities in managereferrers.vm and importword.vm

    XMLWordPrintable

    Details

      Description

      Scope of this issue is to address two specific XSS vulnerabilies. The scope of fixing i18n parameters is tracked elsewhere. Please see the comment below for details.


      (Original Description)

      The ConfluenceActionSupport.getText method is annotated with @HtmlSafe, forcing the Velocity engine to skip HTML encoding of the methods response. The responsibility of HTML encoding is therefore placed on the caller.

      There appears to be a common vulnerability in several velocity templates, that take a user controlled variable and pass it as an argument to the getText method without encoding, leading to XSS vulnerabilities.

      Two such examples are:

      Managereferrers.vm
      #if ($justAdded)
        #applyDecorator("warning" "")
          $action.getText("added.exclusion.feedback", [$justAdded, "$req.contextPath/admin/purgesinglereferrer.action?referrer=$justAdded", "$req.contextPath/admin/purgereferrers.action"])
        #end
      #end
      
      Importword.vm
      <fieldset class="group">
        <legend><span>$action.getText("office.connector.docimport.whereto"):</span></legend>
        <div class="radio">
          <input type="radio" id="newpage" class="radio flip-delete" name="importSpace" value="true" checked>
          <label for="newpage">$action.getText("office.connector.docimport.whereto.space", [$pageTitle])</label>
        </div>
        <div class="radio">
          <input type="radio" id="overwritepage" class="radio flip-delete" name="importSpace" value="false">
          <label for="overwritepage">$action.getText("office.connector.docimport.whereto.page", [$pageTitle])</label>
        </div>
        <div class="checkbox" id="deletealldiv">
          <input class="delete-all checkbox" type="checkbox" id="deleteall" name="overwriteAll" value="true" disabled>
          <label for="deleteall" id="deletealllabel" class="cannot-execute">$action.getText("office.connector.docimport.whereto.delete", [$pageTitle])<label>
        </div>
      </fieldset>
      

      It's recommended all callers of the getText() method require HTML encoding of user controlled parameters.

        Attachments

        1. managereferrers-xss.png
          133 kB
        2. wordimport-xss.png
          85 kB

          Issue Links

            Activity

              People

              Assignee:
              etom edith
              Reporter:
              danh Dan Hodson
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: