• Type: Bug
• Resolution: Fixed
• Priority: Medium
• Fix Version/s: 5.2
• Affects Version/s: 3.1, 3.5.13, 5.1-OD-4
• Component/s: None
• Labels:

  • affects-cloud
  • affects-server
  • bf_triage
  • cvss-high
  • loyalty
  • security
  • spaces
  • verified

[CONFSERVER-20865] XSS vulnerability in space key, particularly with decorators off

Collapse comment: Chii (Inactive) added a comment - 05/Jul/2013 2:58 AM

Chii (Inactive) added a comment - 05/Jul/2013 2:58 AM

yea i've since found out that locking down the rpc isn't going to work very well (and that LDAP users could just bypass it anyway).

Removed the decorator parameters instead - this will at least lessen the surface area of attack (and we have existing tests for usernames with html/xss attacks in them).

Expand comment: Chii (Inactive) added a comment - 05/Jul/2013 2:58 AM

Chii (Inactive) added a comment - 05/Jul/2013 2:58 AM yea i've since found out that locking down the rpc isn't going to work very well (and that LDAP users could just bypass it anyway). Removed the decorator parameters instead - this will at least lessen the surface area of attack (and we have existing tests for usernames with html/xss attacks in them).

Collapse comment: Richard Atkins added a comment - 04/Jul/2013 2:09 AM

Richard Atkins added a comment - 04/Jul/2013 2:09 AM

This can also be an issue if the Confluence instance (or Crowd instance that Confluence delegates to) is linked with LDAP, since LDAP has next to no restrictions on the usernames it hosts. If the upstream LDAP is compromised, we don't want to allow further exploits via that either.

If you remove the ability to create xss users via RPC, you'll have to add a way in the confluence test plugin to still create xss users so we can verify that the correct url and html escaping is done. We have several (xss checking) smoke tests that rely on this feature to function.

Expand comment: Richard Atkins added a comment - 04/Jul/2013 2:09 AM

Richard Atkins added a comment - 04/Jul/2013 2:09 AM This can also be an issue if the Confluence instance (or Crowd instance that Confluence delegates to) is linked with LDAP, since LDAP has next to no restrictions on the usernames it hosts. If the upstream LDAP is compromised, we don't want to allow further exploits via that either. If you remove the ability to create xss users via RPC, you'll have to add a way in the confluence test plugin to still create xss users so we can verify that the correct url and html escaping is done. We have several (xss checking) smoke tests that rely on this feature to function.

Collapse comment: VitalyA added a comment - 24/Jul/2012 6:39 AM

VitalyA added a comment - 24/Jul/2012 6:39 AM

This is only an issue if one can create "bad" usernames, which is not possible anymore.

Expand comment: VitalyA added a comment - 24/Jul/2012 6:39 AM

VitalyA added a comment - 24/Jul/2012 6:39 AM This is only an issue if one can create "bad" usernames, which is not possible anymore.

Collapse comment: Matt Ryall added a comment - 14/Jun/2011 11:34 PM

Matt Ryall added a comment - 14/Jun/2011 11:34 PM

Note that the security risk of this is actually quite low. Public signup prevents usernames containing HTML characters (angle brackets, ampersands and quotes), so you'd have to be an admin to exploit this.

I think it's a low priority security vulnerability and also a low priority bug, since it only "breaks" pages when using ?decorator=none.

Expand comment: Matt Ryall added a comment - 14/Jun/2011 11:34 PM

Matt Ryall added a comment - 14/Jun/2011 11:34 PM Note that the security risk of this is actually quite low. Public signup prevents usernames containing HTML characters (angle brackets, ampersands and quotes), so you'd have to be an admin to exploit this. I think it's a low priority security vulnerability and also a low priority bug, since it only "breaks" pages when using ?decorator=none.