Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-30263

XSS attack in macro rendering preview

XMLWordPrintable

      Example:

      • insert lorem ipsum macro
      • edit macro in lightbox and press preview
      • alter the post request as follows:

      POST /confluence/rest/tinymce/1/macro/preview HTTP/1.1
      Host: test.foo.com
      Connection: keep-alive
      Content-Length: 136
      Accept: text/html, /; q=0.01
      Origin: https://test.foo.com
      X-Requested-With: XMLHttpRequest
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31
      Content-Type: application/json; charset=UTF-8
      Referer: https://test.foo.com/confluence/pages/editpage.action?pageId=123456
      Accept-Encoding: gzip,deflate,sdch
      Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
      Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
      Cookie: [...]

      {"contentId":"12345","macro":{"name":"lorem-ipsum<script>alert(1)</script>","body":""}}

      • an alert box pops up

      This kind of attack works for all macros available

        1. confluence-tinymce-plugin-4.3.7-CONF30263-1.jar
          1.23 MB

            [CONFSERVER-30263] XSS attack in macro rendering preview

            Bernd Schaper added a comment -

            The tests were successful. Thank you very much for the patch.

            Bernd Schaper added a comment - The tests were successful. Thank you very much for the patch.

            Bernd Schaper added a comment -

            Thank you for the patch, I will try it soon.

            Bernd Schaper added a comment - Thank you for the patch, I will try it soon.

            JesperA added a comment - - edited

            I've confirmed that this fix works with Confluence 4.3.7. To apply it, please download the attached file confluence-tinymce-plugin-4.3.7-CONF30263-1.jar, and install it by following the steps described here: https://confluence.atlassian.com/display/CONFKB/How+to+Replace+a+Bundled+Plugin

            JesperA added a comment - - edited I've confirmed that this fix works with Confluence 4.3.7. To apply it, please download the attached file confluence-tinymce-plugin-4.3.7-CONF30263-1.jar , and install it by following the steps described here: https://confluence.atlassian.com/display/CONFKB/How+to+Replace+a+Bundled+Plugin

            Bernd Schaper added a comment -

            Hello Steve,

            thank you very much for your reply, I hope you are able to supply a patch soon.

            regards,
            Bernd

            Bernd Schaper added a comment - Hello Steve, thank you very much for your reply, I hope you are able to supply a patch soon. regards, Bernd

            Steve Haffenden (Inactive) added a comment -

            Hi Bernd

            Thanks for the update. I understand that this is important for you, I'll chase this up and see what I can do.

            Regards

            Steve Haffenden (Inactive) added a comment - Hi Bernd Thanks for the update. I understand that this is important for you, I'll chase this up and see what I can do. Regards

            Bernd Schaper added a comment -

            Hello Steve,

            we are just in the upgrade process from 3.5 to 4.3 (our security test was performed against the 4.3 testinstallation on our side). This upgrade already took a lot of time (we have self developed plugins/macros/theme), a switch to the latest version of confluence is not possible at the moment (but planned for next year).
            Version 4.3 has not reached EOL (planned EOL Date: Jan 29, 2015) so we - as an enterprise license customer - would expect to get security fixes for this version.
            If you don't supply a patch we need to know at least how to patch this issue in 4.3.

            regards,
            Bernd

            Bernd Schaper added a comment - Hello Steve, we are just in the upgrade process from 3.5 to 4.3 (our security test was performed against the 4.3 testinstallation on our side). This upgrade already took a lot of time (we have self developed plugins/macros/theme), a switch to the latest version of confluence is not possible at the moment (but planned for next year). Version 4.3 has not reached EOL (planned EOL Date: Jan 29, 2015) so we - as an enterprise license customer - would expect to get security fixes for this version. If you don't supply a patch we need to know at least how to patch this issue in 4.3. regards, Bernd

            Steve Haffenden (Inactive) added a comment -

            Hi Bernd

            Given the severity of this particular issue it is unlikely that we will provide a patch for earlier versions of Confluence. Our advice would be to upgrade to the latest version of Confluence which will provide this security fix by default.

            Regards

            Steve Haffenden (Inactive) added a comment - Hi Bernd Given the severity of this particular issue it is unlikely that we will provide a patch for earlier versions of Confluence. Our advice would be to upgrade to the latest version of Confluence which will provide this security fix by default. Regards

            Bernd Schaper added a comment -

            Will you create a bugfix/patch for 4.3.7 ?

            Bernd Schaper added a comment - Will you create a bugfix/patch for 4.3.7 ?

              alwang Alice Wang (Inactive)
              957164863928 Bernd Schaper
              Affected customers:
              0 This affects my team
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: