Creating a page/comment etc with the following wiki-markup macro will render javascript on the page for anybody visiting this page

      {search:query=<script>alert(document.cookie)</script>}

      IMPORTANT: please confirm receipt of this notification! Depending on the response, we may report the
      vulnerability to publicly available security forums such as CERT (www.cert.org). Our policy is to give
      you at least 30 days grace period prior to any public disclosure.

        1. search.vm
          0.7 kB
        2. search.vm.2.8.2
          0.7 kB
        3. search.vm-2.7.3
          0.7 kB

            [CONFSERVER-13040] Stored XSS in wiki macro search

            I attached a patched class file for versions 2.8.2 and 2.7.3 of Confluence. Please refer to the installation instructions on how to install this patch.

            The subdirectories for the class file are template/macros. You need to remove the "-2.7.3" from the class file before copying it.

            Brian Nguyen (Inactive) added a comment - I attached a patched class file for versions 2.8.2 and 2.7.3 of Confluence. Please refer to the installation instructions on how to install this patch. The subdirectories for the class file are template/macros . You need to remove the "-2.7.3" from the class file before copying it.

            attaching a patch for confluence 2.7.3

            Brian Nguyen (Inactive) added a comment - attaching a patch for confluence 2.7.3

            Issue raised in DAC and updated in CAC

            Brian Nguyen (Inactive) added a comment - Issue raised in DAC and updated in CAC

            Chris Kiehl added a comment - - edited

            The change looks fine to. But we need to make sure to make version 1.4.2.1 of the advanced macros plugin available on CAC. We also need an create an issue and appropriate versions on DACJ.

            Chris Kiehl added a comment - - edited The change looks fine to. But we need to make sure to make version 1.4.2.1 of the advanced macros plugin available on CAC . We also need an create an issue and appropriate versions on DACJ .

            Brian Nguyen (Inactive) added a comment - - edited

            Attached is a patch for confluence v.2.8.2.

            To place search.vm, into a the folder /WEB-INF/classes/templates/macros/

            Brian Nguyen (Inactive) added a comment - - edited Attached is a patch for confluence v.2.8.2. To place search.vm, into a the folder /WEB-INF/classes/templates/macros/

            This problem was fixed in version 1.4.3 of the confluence advanced macro. However this version is not compatible with confluence 2.9, so I have created a point release (1.4.2.1) that encodes the query parameter.

            The new version will come bundled with confluence 2.9.2

            Brian Nguyen (Inactive) added a comment - This problem was fixed in version 1.4.3 of the confluence advanced macro. However this version is not compatible with confluence 2.9, so I have created a point release (1.4.2.1) that encodes the query parameter. The new version will come bundled with confluence 2.9.2

              bnguyen Brian Nguyen (Inactive)
              9454181e1678 Thomas Jaehnel
              Affected customers:
              0 This affects my team
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: