[CONFSERVER-46953] persistent xss vulnerability through uploaded files in IE8/9

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: None
Affects Version/s: No-Version
Component/s: Apps - Confluence Questions
Labels:

Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

It is possible to upload a number of file types (checked by extension) to an answers instance and then download them later. Internet Explorer(8/9) sniffs text/plain (and some other content-types) downloads to determine the 'content-type' to use. This means that a text/plain content-type file in internet explorer can be rendered as text/html (as html). To solve this problem it is possible to:
1. set the content-disposition header to be "attachment"
2. and/or set the X-Content-Type-Options header to be "nosniff"

relates to

CONFCLOUD-46953 persistent xss vulnerability through uploaded files in IE8/9

Closed

CONFSERVER-47387 Persistent xss flaw in the revision history (of comments).

Closed

causes: ADM-40153 Loading...

Katherine Yabut made changes - 13/Nov/2018 4:40 AM

Workflow

Original: JAC Bug Workflow v3 [ 2882285 ]

New: CONFSERVER Bug Workflow v4 [ 2978020 ]

Owen made changes - 11/Oct/2018 8:46 AM

Workflow	Original: JAC Bug Workflow v2 [ 2784020 ]	New: JAC Bug Workflow v3 [ 2882285 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 29/Aug/2018 11:14 PM

Workflow

Original: JAC Bug Workflow [ 2712979 ]

New: JAC Bug Workflow v2 [ 2784020 ]

Owen made changes - 17/Aug/2018 5:57 AM

Symptom Severity

Original: Minor [ 14432 ]

New: Severity 3 - Minor [ 15832 ]

Owen made changes - 02/Jul/2018 6:48 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2378532 ]

New: JAC Bug Workflow [ 2712979 ]

Katherine Yabut made changes - 22/Jun/2017 6:46 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 2268356 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2378532 ]

Katherine Yabut made changes - 31/May/2017 5:31 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2212058 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 2268356 ]

Katherine Yabut made changes - 31/May/2017 4:54 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2158919 ]

New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2212058 ]

Katherine Yabut made changes - 31/May/2017 1:56 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 1943864 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2158919 ]

Katherine Yabut made changes - 03/Apr/2017 4:02 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v3 [ 1740560 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 1943864 ]

Assignee:: Joe Clark

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 4 Start watching this issue

Created:: 08/Aug/2012 3:47 AM

Updated:: 11/Oct/2018 8:46 AM

Resolved:: 02/Aug/2013 12:12 AM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates