Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-35189

"Recently updated" plugin can be used to reflect arbitrary static content to browser

XMLWordPrintable

      This request:

      <home>/plugins/recently-updated/changes.action?theme=XXXXXXXX
      

      results in the response:

      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      Cache-Control: no-cache, must-revalidate
      Expires: Thu, 01 Jan 1970 00:00:00 GMT
      X-Confluence-Request-Time: 1412654577325
      X-Seraph-LoginReason: OK
      X-AUSERNAME: admin
      X-XSS-Protection: 1; mode=block
      X-Content-Type-Options: nosniff
      Content-Type: text/html;charset=UTF-8
      Date: Tue, 07 Oct 2014 04:02:57 GMT
      Content-Length: 277
      
          <ul>
                  <li class="update-item update-item-error">XXXXXXXX
       no supported.</li>
              </ul>
      

      Which in turn renders as a web page. This was an attacker can construct a web page and pretend it has come from Confluence. It is not possible to embed HTML tags.

      Also, bad grammar

      Reported by a customer.

              honguyen Hoang Nguyen (Inactive)
              vosipov VitalyA
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: