Confluence
  1. Confluence
  2. CONF-28932

External image sources can trigger a basic authentication dialogue

    Details

    • Last commented by user?:
      true
    • CVSS Score:
      3.5

      Description

      When an external resource(e.g. http://foo.com/image.jpeg) is used as the source of an image tag, if the external resource returns a 401 response code and sets a WWW-Authenticate header then the browsers standard 'Basic authentication' dialogue will pop up within on the confluence page.
      While this is standard (and expected) browser behavior it could confuse users and be used in phishing attacks.

        Activity

        David Black [Atlassian] created issue -
        David Black [Atlassian] made changes -
        Field Original Value New Value
        Attachment confluence.jpg [ 90224 ]
        David Black [Atlassian] made changes -
        Reporter David Black [Atlassian] [ dblack ] Sergio Cinos [Atlassian] [ scinos ]
        David Black [Atlassian] made changes -
        Link This issue is related to JRA-32588 [ JRA-32588 ]
        David Black [Atlassian] made changes -
        Description When an external resource(e.g. http://foo.com/image.jpeg) is used as the source of an image tag, if the external resource returns a 401 response code and sets a WWW-Authenticate header then the browsers standard 'Basic authentication' dialogue will pop up within on the confluence page.
        Whilst this is standard (and expected) browser behavior it could confuse users and be used in phishing attacks.

        When an external resource(e.g. http://foo.com/image.jpeg) is used as the source of an image tag, if the external resource returns a 401 response code and sets a WWW-Authenticate header then the browsers standard 'Basic authentication' dialogue will pop up within on the confluence page.
        While this is standard (and expected) browser behavior it could confuse users and be used in phishing attacks.

        Vitaly Osipov [Atlassian] made changes -
        Link This issue relates to JRA-32588 [ JRA-32588 ]
        Hide
        Vitaly Osipov [Atlassian] added a comment -

        This happens more or less in any product that allows external image links, including Hipchat.
        Exploit scenario is a phishing attack where people will type in their password without considering the text of the prompt.

        Show
        Vitaly Osipov [Atlassian] added a comment - This happens more or less in any product that allows external image links, including Hipchat. Exploit scenario is a phishing attack where people will type in their password without considering the text of the prompt.
        Hide
        David Black [Atlassian] added a comment -

        On the browser side: it seems that chrome previously added protection, but since has removed protection, against this https://code.google.com/p/chromium/issues/detail?id=21628

        Show
        David Black [Atlassian] added a comment - On the browser side: it seems that chrome previously added protection, but since has removed protection, against this https://code.google.com/p/chromium/issues/detail?id=21628
        David Black [Atlassian] made changes -
        CVSS Score 3.5
        Renan Battaglin [Atlassian] made changes -
        Affects Version/s 5.1 [ 31492 ]
        Renan Battaglin [Atlassian] made changes -
        Component/s WYSIWYG editing [ 10797 ]
        Renan Battaglin [Atlassian] made changes -
        Component/s Images / Thumbnails [ 12397 ]
        Renan Battaglin [Atlassian] made changes -
        Status New [ 10034 ] Open [ 1 ]
        Hide
        Vitaly Osipov [Atlassian] added a comment -

        This can be exploited by importing wiki markup

        !http://externalsevilprotectedpicture.jpg!
        Show
        Vitaly Osipov [Atlassian] added a comment - This can be exploited by importing wiki markup !http://externalsevilprotectedpicture.jpg!
        Don Willis [Atlassian] made changes -
        Component/s Security [ 12160 ]
        Component/s WYSIWYG editing [ 10797 ]
        Hide
        Matt Ryall [Atlassian] added a comment -

        Thanks for raising this, but we won't be fixing this in the product. The only possible workaround is to optionally proxy all image downloads, which is resource-intensive and error-prone.

        If a customer wants to prevent untrusted users embedding external images, they can restrict edit and comment permissions to trusted users.

        Show
        Matt Ryall [Atlassian] added a comment - Thanks for raising this, but we won't be fixing this in the product. The only possible workaround is to optionally proxy all image downloads, which is resource-intensive and error-prone. If a customer wants to prevent untrusted users embedding external images, they can restrict edit and comment permissions to trusted users.
        Matt Ryall [Atlassian] made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Assignee Matt Ryall [Atlassian] [ matt@atlassian.com ]
        Resolution Won't Fix [ 2 ]
        Vitaly Osipov [Atlassian] made changes -
        Security Developers and Reporter Only [ 10040 ]

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Last commented:
              50 weeks, 6 days ago