[CONFSERVER-13042] XSS in RSS feed creation

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 2.9.2, 2.10
Affects Version/s: 2.9, 2.9.1
Component/s: None
Labels:
- RSS
- XSS
- affects-server
- feed
- qa-manual
- rss/atom-feeds
- security
Environment:

using standalone 2.9.1 win 2003 prof, jdk 1.6
also tested on 2.9 deployed in tomcat 6.0.18

Bug Fix Policy:
View Atlassian Server bug fix policy

URL
http://localhost:8080/dashboard/doconfigurerssfeed.action

The RSS feed creation process is vulnerable to XSS attacks. It is possible to inject javascript code into the page by changing the types field to:

types=>"><script>alert(document.cookie)</script>

complete example from the testenvironment:
http://localhost:8080/dashboard/doconfigurerssfeed.action?types=page&types=blogpost&types=mail&types=comment&types=>"><script>alert(document.cookie)</script>&sort=modified&showContent=true&showDiff=true&spaces=conf_global&labelString=&rssType=atom&maxResults=10&timeSpan=5&publicFeed=false&title=Confluence+RSS+Feed

(NOTE This only renders correctly in IE, tested in IE 7.0, firefox does not execute the code)

IMPORTANT: please confirm receipt of this notification! Depending on the response, we may report the
vulnerability to publicly available security forums such as CERT (www.cert.org). Our policy is to give
you at least 30 days grace period prior to any public disclosure.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

ConfigureRssFeedAction.class
12 kB
19/Sep/2008 3:43 AM
ConfigureRssFeedAction.class-2.7.3
12 kB
15/Oct/2008 1:32 AM
ConfigureRssFeedAction.class-2.7.3-java14
12 kB
24/Oct/2008 4:00 AM
ConfigureRssFeedAction.class-2.8.2
12 kB
15/Oct/2008 1:36 AM
ConfigureRssFeedAction.class-2.8.2-java14
12 kB
24/Oct/2008 4:00 AM

Form Name

Katherine Yabut made changes - 13/Nov/2018 4:45 AM

Workflow

Original: JAC Bug Workflow v3 [ 2900745 ]

New: CONFSERVER Bug Workflow v4 [ 2995491 ]

Owen made changes - 11/Oct/2018 9:07 AM

Workflow	Original: JAC Bug Workflow v2 [ 2796223 ]	New: JAC Bug Workflow v3 [ 2900745 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 29/Aug/2018 11:17 PM

Workflow

Original: JAC Bug Workflow [ 2726340 ]

New: JAC Bug Workflow v2 [ 2796223 ]

Owen made changes - 02/Jul/2018 7:03 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2390403 ]

New: JAC Bug Workflow [ 2726340 ]

Katherine Yabut made changes - 22/Jun/2017 6:50 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 2269378 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2390403 ]

Katherine Yabut made changes - 31/May/2017 5:32 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2219712 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 2269378 ]

Katherine Yabut made changes - 31/May/2017 4:56 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2154291 ]

New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2219712 ]

Katherine Yabut made changes - 31/May/2017 1:55 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 1940948 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2154291 ]

Katherine Yabut made changes - 03/Apr/2017 4:01 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v3 [ 1738952 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 1940948 ]

Katherine Yabut made changes - 28/Feb/2017 6:37 AM

Workflow

Original: CONF Bug Subtask WF (TEMP) [ 1698863 ]

New: Confluence Workflow - Public Facing - Restricted v3 [ 1738952 ]

Assignee:: Brian Nguyen (Inactive)

Reporter:: Thomas Jaehnel

Affected customers:: 0 This affects my team

Watchers:: 0 Start watching this issue

Created:: 15/Sep/2008 4:25 PM

Updated:: 11/Oct/2018 9:07 AM

Resolved:: 23/Sep/2008 7:36 AM

Details

Description

Attachments

Attachments

Forms

Activity

People

Dates