Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-43162

XSS in newFileName Field

    XMLWordPrintable

Details

    Description

      From an external report:

      Confluence recently has been tested and, as a result, we were able to verify the existence of at least one persistent XSS vulnerability. This vulnerability is present in the Edit Attachment feature — specifically in the newFileName field — accessible through the following URL:
      https://confluence/pages/editattachment.action
      As a means to prove the concept proposed by this issue, we added the value "<script>alert(1)</script>file" (without quotes) in the newFileName field. Such as described in the image named xss.png (attached).
      After the aforementioned insertion, the script executes successfully whenever a user visits the vulnerable page, which in turn, is available at:
      https://confluence/dosearchsite.action?queryString="
      As can be seen in the images named xss1.png and xss2.png (attached).

      Attachments

        1. confluence-search-2.3.13-SNAPSHOT.jar
          157 kB
        2. xss.png
          xss.png
          33 kB
        3. xss1.png
          xss1.png
          66 kB
        4. xss2.png
          xss2.png
          91 kB

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-43341 Inconsistent escaping returned by Confluence Search

          • Low - Low priority issues
          • Closed
          links to

          Web Link http://seclists.org/fulldisclosure/2017/Jan/3

          Activity

            People

              fxu Feng Xu (Inactive)
              c0a03ec99fd7 Jodson Santos
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: