Details
-
Bug
-
Resolution: Fixed
-
Medium
-
5.5.2
-
None
-
3.5
-
Description
As documented at http://blog.detectify.com/post/86298380233/the-pitfalls-of-allowing-file-uploads-on-your-website it is possible to upload a flash file to confluence with a different content-type than for flash and when embedded on an attacker's domain will be able to make requests to the confluence instance upon which the flash file is hosted. This bug can be used to steal a user's XSRF/CSRF token.
Steps to reproduce
- Set up Confluence instance
- Rename a flash file (.swf) to have any image extension (e.g. .png)
- Upload the renamed file to Confluence as attachment and ensure that it has an image content type (e.g. image/png)
- Open http://0me.me/demo/SOP/CrossDomainDataHijackHelper.html
- Enter direct url to the attachment in the "Flash File" field
- Enter base url in the "Target Page" field
- Click "RUN" button
Current behaviour: Flash file is rendered
Expected behaviour: Flash file should not be rendered
Attachments
Issue Links
- is related to
-
CONFSERVER-22710 Implement security sanitization of RSS feeds and other included content
- Closed
- links to
- mentioned in
-
Page Loading...