Uploaded image for project: 'Confluence'
  1. Confluence
  2. CONF-28932

External image sources can trigger a basic authentication dialogue

    Details

    • Last commented by user?:
      true
    • CVSS Score:
      3.5

      Description

      When an external resource(e.g. http://foo.com/image.jpeg) is used as the source of an image tag, if the external resource returns a 401 response code and sets a WWW-Authenticate header then the browsers standard 'Basic authentication' dialogue will pop up within on the confluence page.
      While this is standard (and expected) browser behavior it could confuse users and be used in phishing attacks.

        Activity

        dblack David Black [Atlassian] created issue -
        dblack David Black [Atlassian] made changes -
        Field Original Value New Value
        Attachment confluence.jpg [ 90224 ]
        dblack David Black [Atlassian] made changes -
        Reporter David Black [Atlassian] [ dblack ] Sergio Cinos [Atlassian] [ scinos ]
        dblack David Black [Atlassian] made changes -
        Link This issue is related to JRA-32588 [ JRA-32588 ]
        dblack David Black [Atlassian] made changes -
        Description When an external resource(e.g. http://foo.com/image.jpeg) is used as the source of an image tag, if the external resource returns a 401 response code and sets a WWW-Authenticate header then the browsers standard 'Basic authentication' dialogue will pop up within on the confluence page.
        Whilst this is standard (and expected) browser behavior it could confuse users and be used in phishing attacks.

        When an external resource(e.g. http://foo.com/image.jpeg) is used as the source of an image tag, if the external resource returns a 401 response code and sets a WWW-Authenticate header then the browsers standard 'Basic authentication' dialogue will pop up within on the confluence page.
        While this is standard (and expected) browser behavior it could confuse users and be used in phishing attacks.

        vosipov Vitaly Osipov [Atlassian] made changes -
        Link This issue relates to JRA-32588 [ JRA-32588 ]
        Hide
        vosipov Vitaly Osipov [Atlassian] added a comment -

        This happens more or less in any product that allows external image links, including Hipchat.
        Exploit scenario is a phishing attack where people will type in their password without considering the text of the prompt.

        Show
        vosipov Vitaly Osipov [Atlassian] added a comment - This happens more or less in any product that allows external image links, including Hipchat. Exploit scenario is a phishing attack where people will type in their password without considering the text of the prompt.
        Hide
        dblack David Black [Atlassian] added a comment -

        On the browser side: it seems that chrome previously added protection, but since has removed protection, against this https://code.google.com/p/chromium/issues/detail?id=21628

        Show
        dblack David Black [Atlassian] added a comment - On the browser side: it seems that chrome previously added protection, but since has removed protection, against this https://code.google.com/p/chromium/issues/detail?id=21628
        dblack David Black [Atlassian] made changes -
        CVSS Score 3.5
        rbattaglin Renan Battaglin made changes -
        Affects Version/s 5.1 [ 31492 ]
        rbattaglin Renan Battaglin made changes -
        Component/s WYSIWYG editing [ 10797 ]
        rbattaglin Renan Battaglin made changes -
        Component/s Images / Thumbnails [ 12397 ]
        rbattaglin Renan Battaglin made changes -
        Status New [ 10034 ] Open [ 1 ]
        Hide
        vosipov Vitaly Osipov [Atlassian] added a comment -

        This can be exploited by importing wiki markup

        !http://externalsevilprotectedpicture.jpg!
        Show
        vosipov Vitaly Osipov [Atlassian] added a comment - This can be exploited by importing wiki markup !http://externalsevilprotectedpicture.jpg!
        don.willis@atlassian.com Don Willis [Atlassian] made changes -
        Component/s Security [ 12160 ]
        Component/s WYSIWYG editing [ 10797 ]
        Hide
        matt@atlassian.com Matt Ryall [Atlassian] added a comment -

        Thanks for raising this, but we won't be fixing this in the product. The only possible workaround is to optionally proxy all image downloads, which is resource-intensive and error-prone.

        If a customer wants to prevent untrusted users embedding external images, they can restrict edit and comment permissions to trusted users.

        Show
        matt@atlassian.com Matt Ryall [Atlassian] added a comment - Thanks for raising this, but we won't be fixing this in the product. The only possible workaround is to optionally proxy all image downloads, which is resource-intensive and error-prone. If a customer wants to prevent untrusted users embedding external images, they can restrict edit and comment permissions to trusted users.
        matt@atlassian.com Matt Ryall [Atlassian] made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Assignee Matt Ryall [Atlassian] [ matt@atlassian.com ]
        Resolution Won't Fix [ 2 ]
        vosipov Vitaly Osipov [Atlassian] made changes -
        Security Developers and Reporter Only [ 10040 ]

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Last commented:
              1 year, 51 weeks, 1 day ago