Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-9704

Security Issue: XSS in wiki exception error page

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 2.5.5
    • Fix Version/s: 2.6.1
    • Component/s: None
    • Environment:

      Build Information:
      confluence.home: /opt/j2ee/domains/atlassian.com/confluence/webapps/atlassian-confluence/data
      system.uptime: 5 days, 17 hours, 28 minutes, 31 seconds
      system.version: 2.5.5
      build.number: 811

      Description

      The confluence wiki does contain a XSS possibility in the exception error page.
      The user input string is NOT output encoded at following lines:
      a) - - Query String: url=<script>alert(document.cookie)</script><br>
      b) - javax.servlet.forward.query_string : url=<script>alert(document.cookie)</script><br>
      c) - atlassian.core.seraph.original.url : /rpc/trackback?url=<script>alert(document.cookie)</script><br>
      Please find below a link showing the vulnerability. Please be aware this URL is only an example for the vulnerability. The error is in the missing output encoding in the exception error page.
      http://confluence.atlassian.com/rpc/trackback?url=<script>alert(document.cookie)</script>

      Generated HTML source:
              <p>
                  <b>Information:</b><br>
                  URL: http://j2ee.confluence.atlassian.com:8080/500page.jsp<br>
                  - Scheme: http<br>
                  - Server: j2ee.confluence.atlassian.com<br>
                  - Port: 8080<br>
                  - URI: /500page.jsp<br>
                  - - Context Path: <br>
                  - - Servlet Path: /500page.jsp<br>
                  - - Path Info: null<br>
                  - - Query String: url=<script>alert(document.cookie)</script><br>
              </p>
              <p>
                  <b>Attributes:</b><br>
                          - javax.servlet.error.exception : java.lang.NullPointerException<br>
                          - javax.servlet.forward.servlet_path : /rpc/trackback<br>
                          - os_securityfilter_already_filtered : true<br>
                          - caucho.forward : true<br>
                          - com.atlassian.core.filters.gzip.GzipFilter_already_filtered : true<br>
                          - javax.servlet.jsp.jspException : java.lang.NullPointerException<br>
                          - javax.servlet.error.exception_type : class java.lang.NullPointerException<br>
                          - javax.servlet.forward.request_uri : /rpc/trackback<br>
                          - javax.servlet.error.status_code : 500<br>
                          - javax.servlet.forward.query_string : url=<script>alert(document.cookie)</script><br>
                          - javax.servlet.error.request_uri : /rpc/trackback<br>
                          - atlassian.core.seraph.original.url : /rpc/trackback?url=<script>alert(document.cookie)</script><br>
                          - loginfilter.already.filtered : true<br>
                          - javax.servlet.forward.context_path : <br>
              </p>
      
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              pcurren Paul C
              Reporter:
              pcurren Paul C
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: