Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-34009

Flash content-type sniffing allows Cross Site Data Hijacking

    XMLWordPrintable

Details

    Description

      As documented at http://blog.detectify.com/post/86298380233/the-pitfalls-of-allowing-file-uploads-on-your-website it is possible to upload a flash file to confluence with a different content-type than for flash and when embedded on an attacker's domain will be able to make requests to the confluence instance upon which the flash file is hosted. This bug can be used to steal a user's XSRF/CSRF token.

      Steps to reproduce

      1. Set up Confluence instance
      2. Rename a flash file (.swf) to have any image extension (e.g. .png)
      3. Upload the renamed file to Confluence as attachment and ensure that it has an image content type (e.g. image/png)
      4. Open http://0me.me/demo/SOP/CrossDomainDataHijackHelper.html
      5. Enter direct url to the attachment in the "Flash File" field
      6. Enter base url in the "Target Page" field
      7. Click "RUN" button

      Current behaviour: Flash file is rendered
      Expected behaviour: Flash file should not be rendered

      Attachments

        Issue Links

          is related to

          Suggestion - CONFSERVER-22710 Implement security sanitization of RSS feeds and other included content

          • Closed
          links to

          Web Link Even uploading a JPG file can lead to Cross Domain Data Hijacking (client-side attack)!

          mentioned in

          Page Loading...

          Activity

            People

              hho Hao Trung Ho (Inactive)
              dblack David Black
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: