Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-17165

Links from indexbrowser.jsp are vulnerable to XSS attacks

XMLWordPrintable

      CONF-16888 has introduced or re-introduced an XSS vulnerability.

      To reproduce:

      • Create a new user, and for the Full Name use: 
        <script>alert('Vulnerable')</script>
      • Go to ../admin/indexbrowser.jsp and find the entry
      • Click on the entry, and the script is executed.

      This also happens for other content types.

        1. viewdocument.jsp
          2 kB

            [CONFSERVER-17165] Links from indexbrowser.jsp are vulnerable to XSS attacks

            Giles Gaskell [Atlassian] added a comment -

            Changed 'affects version' to 2.5, which is the earliest permitted value for this field. All previous versions of Confluence are affected by this vulnerability.

            Giles Gaskell [Atlassian] added a comment - Changed 'affects version' to 2.5, which is the earliest permitted value for this field. All previous versions of Confluence are affected by this vulnerability.

            Per Fragemann [Atlassian] added a comment -

            Changing back fixversion to be only m7 when issue is irrelevant to the public. Only externally-relevant issues now bear m7 AND 3.1. I should have left these issues as they were in the first place...

            Per Fragemann [Atlassian] added a comment - Changing back fixversion to be only m7 when issue is irrelevant to the public. Only externally-relevant issues now bear m7 AND 3.1. I should have left these issues as they were in the first place...

            Penny Wyatt (On Leave to July 2021) added a comment -

            Verified fix in 3.1 and the attached patch for 3.0.X.

            Penny Wyatt (On Leave to July 2021) added a comment - Verified fix in 3.1 and the attached patch for 3.0.X.

            Anatoli added a comment - - edited

            Note to Confluence Administrators wishing to patch/fix this vulnerability in confluence 3.0.x:

            1. Please replace the <CONFLUENCE>/admin/viewdocument.jsp file with the one attached to this issue.
            2. Restart your Confluence server.

            Anatoli added a comment - - edited Note to Confluence Administrators wishing to patch/fix this vulnerability in confluence 3.0.x: Please replace the <CONFLUENCE>/admin/viewdocument.jsp file with the one attached to this issue. Restart your Confluence server.

            Mark Hrynczak (Inactive) added a comment -

            Patch is needed for previous versions.

            Mark Hrynczak (Inactive) added a comment - Patch is needed for previous versions.

            Penny Wyatt (On Leave to July 2021) added a comment -

            Verified fix, reviewed test, checked for other similar vulnerabilities in the index browser.

            Penny Wyatt (On Leave to July 2021) added a comment - Verified fix, reviewed test, checked for other similar vulnerabilities in the index browser.

            Brian Nguyen (Inactive) added a comment -

            Wouldn't this xss hole be affecting 3.0 and 2.10 as well?

            Brian Nguyen (Inactive) added a comment - Wouldn't this xss hole be affecting 3.0 and 2.10 as well?

            Anatoli added a comment -

            Talked to support. They don't use this feature a lot but would still want to keep it there. Since it was easy to fix I just fixed it.

            Anatoli added a comment - Talked to support. They don't use this feature a lot but would still want to keep it there. Since it was easy to fix I just fixed it.

            Per Fragemann [Atlassian] added a comment -

            Anatoli, can you take this bug over? To be honest, I'd prefer just to fix it, and not change any technology, if possible

            Per Fragemann [Atlassian] added a comment - Anatoli, can you take this bug over? To be honest, I'd prefer just to fix it, and not change any technology, if possible

            Don Willis added a comment -

            http://confluence.atlassian.com/display/DOC/Content+Index+Administration#ContentIndexAdministration-ViewingtheIndexBrowser

            The XSS was actually always there. CONF-16888 fixes a bug in it, but actually if the administrator entered the home directory themselves I believe it still worked.

            Dave L recommends removing the indexbrowser and using Luke instead. My own experience with Luke has been unpleasant but I may have been very unlucky.

            I suggest discussing this with support staff to see if they actually use the indexbrowser and/or would rather use Luke.

            Don Willis added a comment - http://confluence.atlassian.com/display/DOC/Content+Index+Administration#ContentIndexAdministration-ViewingtheIndexBrowser The XSS was actually always there. CONF-16888 fixes a bug in it, but actually if the administrator entered the home directory themselves I believe it still worked. Dave L recommends removing the indexbrowser and using Luke instead. My own experience with Luke has been unpleasant but I may have been very unlucky. I suggest discussing this with support staff to see if they actually use the indexbrowser and/or would rather use Luke.

              akazatchkov Anatoli
              mhrynczak Mark Hrynczak (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: