[CONFSERVER-32641] Content Spoofing in the createrssfeed action

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 5.5
Affects Version/s: 5.4.2, 5.4.3
Component/s: None
Labels:

CVSS Score:
5
Bug Fix Policy:
View Atlassian Server bug fix policy

A third party scan found that createrssfeed action is vulnerable to content spoofing, in specific text injection. In this case the content spoofing may be used to perform a phishing attack on users.

How to reproduce:
1. go to https://$confluence/$contextPath/wiki/spaces/createrssfeed.action?types=blogpost&spaces=ds&sort=modified&title=Please%20login%20at%20https://attacker.com&maxResults=15&publicFeed=false&os_authType=basic&rssType=atom
2. observe that the title parameter is found in the response.

Note: different browsers render the rss feed xml differently and while chrome just shows the raw xml, Internet Explorer and firefox both render the xml returned as a 'semi-html page'.

mentioned in: Page Failed to load; Page Failed to load

There are no comments yet on this issue.

Assignee:: Giang Vo

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 5 Start watching this issue

Created:: 18/Feb/2014 12:01 AM

Updated:: 05/Dec/2019 1:31 AM

Resolved:: 18/Mar/2014 9:05 AM

Confluence Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates