Uploaded image for project: 'Confluence'
  1. Confluence
  2. CONF-28932

External image sources can trigger a basic authentication dialogue

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: 5.1
    • Fix Version/s: None
    • Component/s: None
    • Last commented by user?:
      true
    • CVSS Score:
      3.5

      Description

      When an external resource(e.g. http://foo.com/image.jpeg) is used as the source of an image tag, if the external resource returns a 401 response code and sets a WWW-Authenticate header then the browsers standard 'Basic authentication' dialogue will pop up within on the confluence page.
      While this is standard (and expected) browser behavior it could confuse users and be used in phishing attacks.

        Attachments

          Activity

          dblack David Black created issue -
          dblack David Black made changes -
          Field Original Value New Value
          Attachment confluence.jpg [ 90224 ]
          dblack David Black made changes -
          Reporter David Black [Atlassian] [ dblack ] Sergio Cinos [Atlassian] [ scinos ]
          dblack David Black made changes -
          Link This issue is related to JRA-32588 [ JRA-32588 ]
          dblack David Black made changes -
          Description When an external resource(e.g. http://foo.com/image.jpeg) is used as the source of an image tag, if the external resource returns a 401 response code and sets a WWW-Authenticate header then the browsers standard 'Basic authentication' dialogue will pop up within on the confluence page.
          Whilst this is standard (and expected) browser behavior it could confuse users and be used in phishing attacks.

          When an external resource(e.g. http://foo.com/image.jpeg) is used as the source of an image tag, if the external resource returns a 401 response code and sets a WWW-Authenticate header then the browsers standard 'Basic authentication' dialogue will pop up within on the confluence page.
          While this is standard (and expected) browser behavior it could confuse users and be used in phishing attacks.

          vosipov Vitaly Osipov [Atlassian] made changes -
          Link This issue relates to JRA-32588 [ JRA-32588 ]
          Hide
          vosipov Vitaly Osipov [Atlassian] added a comment -

          This happens more or less in any product that allows external image links, including Hipchat.
          Exploit scenario is a phishing attack where people will type in their password without considering the text of the prompt.

          Show
          vosipov Vitaly Osipov [Atlassian] added a comment - This happens more or less in any product that allows external image links, including Hipchat. Exploit scenario is a phishing attack where people will type in their password without considering the text of the prompt.
          Hide
          dblack David Black added a comment -

          On the browser side: it seems that chrome previously added protection, but since has removed protection, against this https://code.google.com/p/chromium/issues/detail?id=21628

          Show
          dblack David Black added a comment - On the browser side: it seems that chrome previously added protection, but since has removed protection, against this https://code.google.com/p/chromium/issues/detail?id=21628
          dblack David Black made changes -
          CVSS Score 3.5
          rbattaglin Renan Battaglin made changes -
          Affects Version/s 5.1 [ 31492 ]
          rbattaglin Renan Battaglin made changes -
          Component/s WYSIWYG editing [ 10797 ]
          rbattaglin Renan Battaglin made changes -
          Component/s Images / Thumbnails [ 12397 ]
          rbattaglin Renan Battaglin made changes -
          Status New [ 10034 ] Open [ 1 ]
          Hide
          vosipov Vitaly Osipov [Atlassian] added a comment -

          This can be exploited by importing wiki markup

          !http://externalsevilprotectedpicture.jpg!
          Show
          vosipov Vitaly Osipov [Atlassian] added a comment - This can be exploited by importing wiki markup !http://externalsevilprotectedpicture.jpg!
          don.willis@atlassian.com Don Willis [Atlassian] made changes -
          Component/s Security [ 12160 ]
          Component/s WYSIWYG editing [ 10797 ]
          Hide
          matt@atlassian.com Matt Ryall added a comment -

          Thanks for raising this, but we won't be fixing this in the product. The only possible workaround is to optionally proxy all image downloads, which is resource-intensive and error-prone.

          If a customer wants to prevent untrusted users embedding external images, they can restrict edit and comment permissions to trusted users.

          Show
          matt@atlassian.com Matt Ryall added a comment - Thanks for raising this, but we won't be fixing this in the product. The only possible workaround is to optionally proxy all image downloads, which is resource-intensive and error-prone. If a customer wants to prevent untrusted users embedding external images, they can restrict edit and comment permissions to trusted users.
          matt@atlassian.com Matt Ryall made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Assignee Matt Ryall [Atlassian] [ matt@atlassian.com ]
          Resolution Won't Fix [ 2 ]
          vosipov Vitaly Osipov [Atlassian] made changes -
          Security Developers and Reporter Only [ 10040 ]
          jsoderstrom Jonas Soderstrom [Atlassian] made changes -
          Component/s Editor [ 38090 ]
          Component/s Images / Thumbnails [ 12397 ]
          security-metrics-bot Security Metrics Bot made changes -
          Labels security cvss-medium security
          mhrynczak Mark Hrynczak [Atlassian] made changes -
          Workflow New Confluence Default Workflow [ 525649 ] Confluence Cloud First Workflow [ 1115703 ]
          osanico Owen Sanico made changes -
          Workflow Confluence Cloud First Workflow [ 1115703 ] Confluence Cloud First Workflow v2 [ 1203101 ]
          jturnquist Jonah Turnquist [Atlassian] made changes -
          Labels cvss-medium security cvss-medium editor security
          jturnquist Jonah Turnquist [Atlassian] made changes -
          Component/s Security [ 12160 ]
          jturnquist Jonah Turnquist [Atlassian] made changes -
          Component/s Editor [ 38090 ]

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Last commented:
                3 years, 2 days ago