Details
Description
The RSS feed macro currently appears to be enabled by default in Confluence. This is contrary to the information contained in the following Confluence documentation:
https://confluence.atlassian.com/display/DOC/RSS+Feed+Macro
While a whitelist is enforced by default, as confluence implicitly trusts itself it is possible to exploit this issue through an attached rss file.
Steps to reproduce:
1. create a new page
2. attach the CONF-31007.xml file to the new page
3. on the new page add a rss macro with a RSS Feed URL pointing to the ^CONF-31007.xml attachment and then add &os_username=$ATTACK_USERNAME&os_password=$ATTACK_PASSWORD to the end of the url to make confluence authorize against itself so it is able to access the attachment.
The resulting url should look something like the following:
e.g. http://$confluence/download/attachments/557071/simple.xml?api=v2&os_username=myuser&os_password=myuser
4. Save the page.
5. Observe two alert prompts with the numbers 1 and 2 in them.
Attachments
Issue Links
- is caused by
-
CONFSERVER-10929 Browsing to an invalid tinyurl throws large IllegalStateException
- Closed