Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-46953

persistent xss vulnerability through uploaded files in IE8/9

XMLWordPrintable

      NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      It is possible to upload a number of file types (checked by extension) to an answers instance and then download them later. Internet Explorer(8/9) sniffs text/plain (and some other content-types) downloads to determine the 'content-type' to use. This means that a text/plain content-type file in internet explorer can be rendered as text/html (as html). To solve this problem it is possible to:
      1. set the content-disposition header to be "attachment"
      2. and/or set the X-Content-Type-Options header to be "nosniff"

            [CONFSERVER-46953] persistent xss vulnerability through uploaded files in IE8/9

            Joe Clark added a comment - - edited

            We're planning to deploy a hotfix containing the fix for this issue and for ANSWERS-1188. Should be done this week.

            Joe Clark added a comment - - edited We're planning to deploy a hotfix containing the fix for this issue and for ANSWERS-1188 . Should be done this week.

            Joe Clark added a comment -

            Fixed here - https://bitbucket.org/atlassian/answers_development/commits/128715116d255f16331b99908d3c890c53248a9c

            I put the wrong issue key in the commit message because I'm an idiot.

            Joe Clark added a comment - Fixed here - https://bitbucket.org/atlassian/answers_development/commits/128715116d255f16331b99908d3c890c53248a9c I put the wrong issue key in the commit message because I'm an idiot.

            David Black added a comment -

            jclark@atlassian.com / jlargman what's happening with this issue?

            David Black added a comment - jclark@atlassian.com / jlargman what's happening with this issue?

            Jeremy Largman added a comment -

            Sorry, missed it, we'll fix it in the next release.

            Jeremy Largman added a comment - Sorry, missed it, we'll fix it in the next release.

            David Black added a comment -

            jlargman what is happening with this issue?

            David Black added a comment - jlargman what is happening with this issue?

            David Black added a comment - - edited

            CVSS score: 6 => High severity
             
            Exploitability Metrics

            AccessVector Network
            AccessComplexity Medium
            Authentication Single Instance

             
            Impact Metrics

            ConfImpact Partial
            IntegImpact Partial
            AvailImpact Partial

            See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

            David Black added a comment - - edited CVSS score: 6 => High severity   Exploitability Metrics AccessVector Network AccessComplexity Medium Authentication Single Instance   Impact Metrics ConfImpact Partial IntegImpact Partial AvailImpact Partial See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

              jclark@atlassian.com Joe Clark
              dblack David Black
              Affected customers:
              0 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: