[CONFSERVER-11040] Grouppicker and Userpicker display unescaped user-entered content

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 2.7.3, 2.8
Affects Version/s: 2.1.5, 2.2.10, 2.3.3, 2.4.5, 2.5.8, 2.6.2, 2.7.2
Component/s: None
Labels:
- affects-server
Environment:

Browser: MSIE

Bug Fix Policy:
View Atlassian Server bug fix policy

As reported at ~~CONF-9559~~ the spaces/openuserpicker.action and spaces/grouppicker.action display unescaped content that can be entered in the url. This forms an XSS vulnerability.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

CONF-11040-patch-for-2.6.zip
4 kB
17/Mar/2008 6:05 AM

is related to

CONFSERVER-11081 URL not encoded for group browser

Closed

Don Willis added a comment - 18/Mar/2008 3:08 AM

All output in the userpicker and grouppicker that can be affected by user input are now escaped correctly.

Don Willis added a comment - 18/Mar/2008 3:08 AM All output in the userpicker and grouppicker that can be affected by user input are now escaped correctly.

Don Willis added a comment - 18/Mar/2008 3:06 AM

The following fields could pose XSS vulnerabilities:
In the group picker:

startIndex
groupnameTerm
key
onPopupSubmit
existingGroups

In the user picker

onPopupSubmit

Don Willis added a comment - 18/Mar/2008 3:06 AM The following fields could pose XSS vulnerabilities: In the group picker: startIndex groupnameTerm key onPopupSubmit existingGroups In the user picker onPopupSubmit

Don Willis added a comment - 17/Mar/2008 6:05 AM - edited

The CONF-11040-patch-for-2.6.zip file contains updated files to fix this bug in Confluence 2.6.2
There are four updated velocity template (.vm) files in the zip. To apply the patch:

backup your existing confluence/spaces/permissions directory.
unzip the patch into the confluence/spaces/permissions directory
confirm that the confluence/spaces/permissions directory contains 7 vm files and 1 help directory.
confirm that the following files have newer dates than the other files:
- grouppicker-results.vm
- grouppicker.vm
- userpicker-results.vm
- userpicker-form.vm
restart Confluence.

Don Willis added a comment - 17/Mar/2008 6:05 AM - edited The CONF-11040-patch-for-2.6.zip file contains updated files to fix this bug in Confluence 2.6.2 There are four updated velocity template (.vm) files in the zip. To apply the patch: backup your existing confluence/spaces/permissions directory. unzip the patch into the confluence/spaces/permissions directory confirm that the confluence/spaces/permissions directory contains 7 vm files and 1 help directory. confirm that the following files have newer dates than the other files: grouppicker-results.vm grouppicker.vm userpicker-results.vm userpicker-form.vm restart Confluence.

Assignee:: dave (Inactive)

Reporter:: Don Willis

Affected customers:: 0 This affects my team

Watchers:: 0 Start watching this issue

Created:: 11/Mar/2008 11:40 PM

Updated:: 11/Oct/2018 8:45 AM

Resolved:: 18/Mar/2008 10:57 PM

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

Collapse comment: Don Willis added a comment - 18/Mar/2008 3:08 AM

Expand comment: Don Willis added a comment - 18/Mar/2008 3:08 AM

Collapse comment: Don Willis added a comment - 18/Mar/2008 3:06 AM

Expand comment: Don Willis added a comment - 18/Mar/2008 3:06 AM

Collapse comment: Don Willis added a comment - 17/Mar/2008 6:05 AM, Edited by Don Willis - 17/Mar/2008 6:06 AM

Expand comment: Don Willis added a comment - 17/Mar/2008 6:05 AM, Edited by Don Willis - 17/Mar/2008 6:06 AM

People

Dates