Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-9560

Cross-site scripting vulnerability in 500page.jsp

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Highest
    • Resolution: Fixed
    • Affects Version/s: 2.5.7
    • Fix Version/s: 2.6.1
    • Component/s: None
    • Environment:

      Apache http, Confluence 2.5.7 standalone, Windows Server 2003, JDK 1.5

      Description

      The test successfully embedded a script in the response, which will be executed once the page
      is loaded in the user's browser. This means that the application is vulnerable to the Cross-Site
      Scripting attack.

      The file 500page.jsp should escape the attributes and parameters to prevent code execution.

      [3 of 5] Cross-Site Scripting
      Severity: High
      Test Type: Application
      Vulnerable URL: http://xxx.yyy.com:8080/addpersonalspacetofavourites.action
      (Parameter = key)
      Remediation Tasks: Filter out hazardous characters from user input
      Variant 1 of 8 [ID=574034]
      The following changes were applied to the original request:
      • Injected '<script>alert("Watchfire%20XSS")</script>' into parameter 'key's value
      Request/Response:
      GET /addpersonalspacetofavourites.action?nonBlankResult=true&key=<script>alert ("Watchfire%20XSS")</script> HTTP/1.0
      Cookie: seraph.confluence=Zh\hNiQi[hZiOf]fOm\fOfUgSfZfWkYkWk;
      confluence.list.pages.cookie=list-alphabetically;
      confluence.browse.space.cookie=space-templates;
      JSESSIONID=7FC6827BCA10B0042DE6BE0536A246D0
      Accept: /
      Accept-Language: en-US
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
      Host: xxxx.yyyy.com:8080
      Referer: http://xxx.yyyy.com:8080/dopeopledirectorysearch.action?
      searchQueryBean.queryString=&showOnlyPersonal=true
      HTTP/1.1 500 Internal Server Error
      Content-Length: 23985
      Server: Apache-Coyote/1.1
      Content-Type: text/html;charset=ISO-8859-1
      Date: Wed, 22 Aug 2007 20:26:11 GMT
      Connection: close
      <html>
      <head>
      <title>Oops - an error has occurred</title>
      <link rel="stylesheet" href="/styles/main-action.css" type="text/css" />
      <script language="JavaScript" type="text/javascript"
      src="/includes/js/cookieUtils.js"></script>
      <style>
      ...

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              alynch Andrew Lynch
              Reporter:
              marois Jean Marois
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: