-
Bug
-
Resolution: Fixed
-
Medium
-
2.5.7, 2.6.2, 2.7
-
None
-
Tomcat 5.5
jdk 1.5.0_11
Linux 2.6.9-42.ELsmp
Our eSecurity team has identified a Cross Site Scripting issue with the confluence server as follows:
Arbirtatry javascript can be injected in the following cases which can lead to escalated or invalid privileges being granted to an unauthorized user:
1) http://www.anyhost.com/confluence/pages/recentlyupdated.action?key=BE&%3E%27%22%3E%3Cscript%3Ealert%2856517%29%3C%2Fscript%3E=123
This issue has been resolved in version 2.5.8 onwards. The rest of this report refers to the following issue.
2) http://www.anyhost.com/confluence/dashboard/configurerssfeed.action/?>'"><script>alert("esec%20XSS%20attack")</script>
We would like a patch to be created for these issues if they can not be resolved with a setting or configuration.
[CONFSERVER-10164] XSS vulnerability in recently updated and configure RSS feed actions
I echo the 2.5.7 question, and I'm also curious about 2.5.4 (as we have a second instance still running at that level.) Guessing possibly not, given Mark's observations about the original class...
I assume that this could be used against 2.5.6, 2.5.7, or 2.5.8? The original AbstractHtmlGeneratingMacro.class appears to be the same in all three versions.
Also, it looks like this breaks the Checklist Macros Plugin (1.3.0) and the RSVP Plugin (1.3) on our test system. Anyone else seeing the same thing?
Mark Nye
added a comment - - edited I assume that this could be used against 2.5.6, 2.5.7, or 2.5.8? The original AbstractHtmlGeneratingMacro.class appears to be the same in all three versions.
Also, it looks like this breaks the Checklist Macros Plugin (1.3.0) and the RSVP Plugin (1.3) on our test system. Anyone else seeing the same thing? 
Roberto Dominguez
added a comment - Paul, yeah, that was the problem... I had downloaded it from my Mac (Leopard) and it seems like there is something funny either with the Browser, OS or my ISP because I keep getting the wrong MD5 every time I download the file... I ended up wgetting it from my server and everything's fine now 
Thanx!
Roberto Dominguez
added a comment - Paul, yeah, that was the problem... I had downloaded it from my Mac (Leopard) and it seems like there is something funny either with the Browser, OS or my ISP because I keep getting the wrong MD5 every time I download the file... I ended up wgetting it from my server and everything's fine now
Thanx!
jeff peichel
added a comment - The fix mentions that its for 2.5.8, however the bug was reported against 2.5.7. Does the patch work on 2.5.7?
jeff peichel
added a comment - The fix mentions that its for 2.5.8, however the bug was reported against 2.5.7. Does the patch work on 2.5.7? Hi Roberto.
I've double checked this file again but all seems fine. It's a Java 1.4 class file which I have tested on Java 1.4 and Java 5 (on Mac OS X and Linux).
I suspect the file has been corrupted when you downloaded it.
Run md5 on the downloaded file. It should be - 729bd79d7a7fa9a206c3cbcd038208f0
You can also run the 'file' command on the downloaded class and it should output AbstractHtmlGeneratingMacro.class: compiled Java class data, version 48.0
What browser did you use to download the file? I was testing with Firefox which seemed to download it fine.
Roberto Dominguez
added a comment - Did the patch on 2.5.8 but I am getting a lot of these errors:
2007-12-13 22:32:43,804 ERROR [main] [atlassian.plugin.parsers.XmlDescriptorParser] createModuleDescriptor There were problems loading the module 'macro'. The module and its plugin have been disabled. 2007-12-13 22:32:43,807 ERROR [main] [atlassian.plugin.parsers.XmlDescriptorParser] createModuleDescriptor There was a problem loading the descriptor for module 'macro' in plugin 'Advanced Macros'. java.lang.ClassFormatError: Incompatible magic value -1095041334 in class file com/atlassian/confluence/renderer/radeox/macros/AbstractHtmlGeneratingMacro com.atlassian.plugin.PluginParseException: java.lang.ClassFormatError: Incompatible magic value -1095041334 in class file com/atlassian/confluence/renderer/radeox/macros/AbstractHtmlGeneratingMacro at com.atlassian.plugin.descriptors.AbstractModuleDescriptor.init(AbstractModuleDescriptor.java:77) at com.atlassian.plugin.parsers.XmlDescriptorParser.createModuleDescriptor(XmlDescriptorParser.java:147) at com.atlassian.plugin.parsers.XmlDescriptorParser.configurePlugin(XmlDescriptorParser.java:85) at com.atlassian.plugin.loaders.SinglePluginLoader.loadPlugin(SinglePluginLoader.java:89) at com.atlassian.plugin.loaders.SinglePluginLoader.loadAllPlugins(SinglePluginLoader.java:50)
Advanced Macros, Dashboard macros, JIRA Macros, get disabled... is there a workaround????
Roberto Dominguez
added a comment - Did the patch on 2.5.8 but I am getting a lot of these errors:
2007-12-13 22:32:43,804 ERROR [main] [atlassian.plugin.parsers.XmlDescriptorParser] createModuleDescriptor There were problems loading the module 'macro' . The module and its plugin have been disabled.
2007-12-13 22:32:43,807 ERROR [main] [atlassian.plugin.parsers.XmlDescriptorParser] createModuleDescriptor There was a problem loading the descriptor for module 'macro' in plugin 'Advanced Macros' .
java.lang.ClassFormatError: Incompatible magic value -1095041334 in class file com/atlassian/confluence/renderer/radeox/macros/AbstractHtmlGeneratingMacro
com.atlassian.plugin.PluginParseException: java.lang.ClassFormatError: Incompatible magic value -1095041334 in class file com/atlassian/confluence/renderer/radeox/macros/AbstractHtmlGeneratingMacro
at com.atlassian.plugin.descriptors.AbstractModuleDescriptor.init(AbstractModuleDescriptor.java:77)
at com.atlassian.plugin.parsers.XmlDescriptorParser.createModuleDescriptor(XmlDescriptorParser.java:147)
at com.atlassian.plugin.parsers.XmlDescriptorParser.configurePlugin(XmlDescriptorParser.java:85)
at com.atlassian.plugin.loaders.SinglePluginLoader.loadPlugin(SinglePluginLoader.java:89)
at com.atlassian.plugin.loaders.SinglePluginLoader.loadAllPlugins(SinglePluginLoader.java:50)
Advanced Macros, Dashboard macros, JIRA Macros, get disabled... is there a workaround????
Summary
Issue (1) in the original description has been resolved since Confluence 2.5.8.
Issue (2) is resolved in Confluence 2.7.
A patch file is attached for issue (2) - AbstractHtmlGeneratingMacro.class
Installation Instructions for Confluence 2.5.8
Stop Confluence.
This file should be copied to your confluence web-app at WEB-INF/classes/com/atlassian/confluence/renderer/radeox/macros/. On the standalone release this would be <install location>/confluence/WEB-INF/classes/com/atlassian/confluence/renderer/radeox/macros/.
Restart Confluence.
Installation Instructions for Confluence 2.6.2
Stop Confluence.
Create a directory within your web-app at WEB-INF/classes/com/atlassian/confluence/renderer/radeox/macros/.
Copy the attached class file to this newly created directory.
Restart Confluence.
This has been fixed on trunk and merged to 2.7 (will be included in the 2.7 release).
The issue is not closed yet since we have still to produce patches for both reported issues for 2.5 and 2.6.
I believe the class file will be fine against 2.5.7 and 2.5.6. Please note though that I can't say this with certainty. It has only been explicitly tested on 2.5.8 and 2.6.2. This is consistent with our patch policy.
Regarding the potential problems with Checklist Macros Plugin and RSVP Plugin: Given the nature of the fix I can't really see why anything would be broken by it, but if you can provide more details I'll be happy to look into this a little further. Perhaps raise a new issue but link it to this one?
Thanks.