Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 5.2.4, 5.2.5
Affects Version/s: 5.2
Component/s: None
Labels:

CVSS Score:
7.5
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Olivier Beg <olivier@hotmail.lv> reported

https://confluence.atlassian.com/dosearchsite.action?queryString=%22%3E&startIndex=0&lastModified=LASTWEEK&where=conf_all%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E

> I asume he is DOM based because he works in google chrome.

This results in

  <input type="hidden" id="search-filter-by-space" name="where" value="conf_all&quot;&gt;&lt;img src=x onerror=alert(1)&gt;" style="width: 100%"/>

which appears to be parsed as having a valid onerror attribute (???), which triggers the alert box if you move your mouse or just wait a second. Checked in Firefox and Chrome. Possibly where is used in javascript context in an unsafe way.

Attachments

Issue Links

is duplicated by

CONFSERVER-31012 Reflected cross-site scripting (XSS) in dosearchsite action

Closed

mentioned in: Wiki Page Loading...

Activity

People

Assignee:: Chii

Reporter:: olivier beg

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 09/Aug/2013 4:40 AM

Updated:: 11/Oct/2018 8:42 AM

Resolved:: 19/Aug/2013 5:39 AM