[CONFSERVER-25541] multimedia macro allows execution of arbitrary scripts

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 5.1.4
Affects Version/s: 3.5.13, 4.2
Component/s: None
Labels:
- affects-server
- cvss-high
- editor
- loyalty
- security
- verified
- xss
Environment:

CentOS 5.8, JDK 1.6.0_29

CVSS Score:
6.5
Bug Fix Policy:
View Atlassian Server bug fix policy

The

{multimedia} macro in confluence embeds a swf without the 'allowScriptAccess' attribute set to 'none'. This allows the embedded (user submitted) swf to execute arbitrary javascript on the page, constituting an XSS vulnerability. The {multimedia}

tag is bundled in with the base product and not an optional macro, so steps may need to be taken by Atlassian to fix this issue if there isn't a configuration setting anywhere.

This issue was reported by Workday's Security Operations team member Michael Carlson

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

HelloWorld.as
18/May/2012 8:44 PM
0.3 kB
David Corley
HelloWorld.swf
18/May/2012 8:44 PM
1 kB
David Corley

mentioned in: Wiki Page Failed to load

David Black added a comment - 21/May/2012 8:03 AM

CVSS score: 6.5 => High severity

Exploitability Metrics

AccessVector	Network
AccessComplexity	Low
Authentication	Single Instance

Impact Metrics

ConfImpact	Partial
IntegImpact	Partial
AvailImpact	Partial

See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

David Black added a comment - 21/May/2012 8:03 AM CVSS score: 6.5 => High severity Exploitability Metrics AccessVector Network AccessComplexity Low Authentication Single Instance Impact Metrics ConfImpact Partial IntegImpact Partial AvailImpact Partial See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

David Black added a comment - 21/May/2012 1:13 AM

Thank you for reporting this security vulnerability to Atlassian.

David Black added a comment - 21/May/2012 1:13 AM Thank you for reporting this security vulnerability to Atlassian.

David Corley added a comment - 18/May/2012 8:44 PM

Attached source code for the proof (.as file).

David Corley added a comment - 18/May/2012 8:44 PM Attached source code for the proof (.as file).

David Corley added a comment - 18/May/2012 8:44 PM

Attached a proof of concept that executes the javascript 'alert(document.cookie);'. Embed this in a comment or post with

{multimedia:name=HelloWorld.swf\|autostart=true}

David Corley added a comment - 18/May/2012 8:44 PM Attached a proof of concept that executes the javascript 'alert(document.cookie);'. Embed this in a comment or post with {multimedia:name=HelloWorld.swf\|autostart=true} .

Assignee:: Chii (Inactive)

Reporter:: David Corley

Affected customers:: 0 This affects my team

Watchers:: 5 Start watching this issue

Created:: 18/May/2012 8:44 PM

Updated:: 11/Oct/2018 8:37 AM

Resolved:: 22/May/2013 2:00 AM

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

Collapse comment: David Black added a comment - 21/May/2012 8:03 AM

Expand comment: David Black added a comment - 21/May/2012 8:03 AM

Collapse comment: David Black added a comment - 21/May/2012 1:13 AM

Expand comment: David Black added a comment - 21/May/2012 1:13 AM

Collapse comment: David Corley added a comment - 18/May/2012 8:44 PM

Expand comment: David Corley added a comment - 18/May/2012 8:44 PM

Collapse comment: David Corley added a comment - 18/May/2012 8:44 PM

Expand comment: David Corley added a comment - 18/May/2012 8:44 PM

People

Dates