Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-13717

Attachment list in popup doesn't escape filenames causing XSS hole

XMLWordPrintable

      The filenames in the attachment list of the link popup aren't being escaped.
      If you upload an attachment with a filename including html it could be executed.

        1. insertlink-popup-common-2.8.2.vm
          10 kB
          m@
        2. insertlink-popup-common-2.9.2.vm
          10 kB
          m@

            [CONFSERVER-13717] Attachment list in popup doesn't escape filenames causing XSS hole

            Matthew McVey added a comment -

            Applying this patch to 2.9.2 seems to break the ability to use the rich text editor to correctly link to an attachment containing spaces (and perhaps other characters). + characters replace spaces in the wiki markup which results in a bad link.

            Any chance for a fix that doesn't also break functionality?

            Matthew McVey added a comment - Applying this patch to 2.9.2 seems to break the ability to use the rich text editor to correctly link to an attachment containing spaces (and perhaps other characters). + characters replace spaces in the wiki markup which results in a bad link. Any chance for a fix that doesn't also break functionality?

            Andrew Prentice (Inactive) added a comment -

            html (e.g. <script>alert('XSS')</script>) in attachment filenames is not executed with patches installed in 2.8.2 & 2.9.2

            Andrew Prentice (Inactive) added a comment - html (e.g. <script>alert('XSS')</script>) in attachment filenames is not executed with patches installed in 2.8.2 & 2.9.2

            m@ (Inactive) added a comment -

            This issue was caused by the lack of proper escaping in the Insert Link popup. This issue could allow a user to upload an attachment with script tags in the file name and have it execute when another user lists the attachments on the same page. This could be used to exploit Confluence by executing actions as another user.

            m@ (Inactive) added a comment - This issue was caused by the lack of proper escaping in the Insert Link popup. This issue could allow a user to upload an attachment with script tags in the file name and have it execute when another user lists the attachments on the same page. This could be used to exploit Confluence by executing actions as another user.

            m@ (Inactive) added a comment -

            Attached patches for 2.8.2 and 2.9.2 that ensure that attachment filenames are properly escaped when displaying them in the insert link popup.

            To install these patches replace insertlink-popup-common.vm in your Confluence installation directory with the appropriate attachment on this issue.

            m@ (Inactive) added a comment - Attached patches for 2.8.2 and 2.9.2 that ensure that attachment filenames are properly escaped when displaying them in the insert link popup. To install these patches replace insertlink-popup-common.vm in your Confluence installation directory with the appropriate attachment on this issue.

            Andrew Prentice (Inactive) added a comment -

            verified fixed in 2.10-rc1

            Andrew Prentice (Inactive) added a comment - verified fixed in 2.10-rc1

            m@ (Inactive) added a comment -

            Fixed as part of CONF-13693.

            m@ (Inactive) added a comment - Fixed as part of CONF-13693.

              mjensen m@ (Inactive)
              mjensen m@ (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: