[CONFSERVER-7615] XSS bug: usernames not HTML-encoded in all places

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 2.9.1, 2.10
Affects Version/s: 2.2.9, 2.3
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

When signing up for an account, it is possible to enter a username like "<script src=http://drevil.com/xss>fred</script>". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting (XSS) attacks.

Two places I've spotted the raw HTML so far:

Most prominently, when an admin goes to Manage Users -> Show All Users, and the username displays in the list, the raw HTML is rendered.
When editing a page created by such a user, the togglePermissions() javascript will display it, breaking later tags:

if ($('edit-personal').checked) $('editPermission').value = "<script src=http://drevil.com/xss>fred</script>";

causes

CONFSERVER-13890 Tooltip showing number of attachments is showing for all items in the Browse menu

Closed

is blocked by

CONFSERVER-9627 Velocity does not automatically escape HTML entities when substituting variables

Closed

is related to

CONFSERVER-11002 viewuser.action has an XSS problem around username

Closed

Chris Kiehl added a comment - 02/Sep/2008 2:16 AM - edited

If you are unable to upgrade to 2.9.1 you can fix this issue in your installation by editing one line in the file confluence/template/includes/menu-macros.vm which resides in your Confluence installation directory:

Change

#menuMacros_renderMenu("user-menu-link", $user.fullName, "user", "system.user")

#menuMacros_renderMenu("user-menu-link", $generalUtil.htmlEncode($user.fullName), "user", "system.user")

Chris Kiehl added a comment - 02/Sep/2008 2:16 AM - edited If you are unable to upgrade to 2.9.1 you can fix this issue in your installation by editing one line in the file confluence/template/includes/menu-macros.vm which resides in your Confluence installation directory: Change #menuMacros_renderMenu( "user-menu-link" , $user.fullName, "user" , "system.user" ) to #menuMacros_renderMenu( "user-menu-link" , $generalUtil.htmlEncode($user.fullName), "user" , "system.user" )

Chris Kiehl added a comment - 13/Aug/2008 11:09 PM - edited

Those two cases are already fixed, but while looking for those two I found another place where data is written unescaped.

Chris Kiehl added a comment - 13/Aug/2008 11:09 PM - edited Those two cases are already fixed, but while looking for those two I found another place where data is written unescaped.

Samuel Le Berrigaud added a comment - 26/Jul/2007 5:17 AM

While usernames are still not encoded in all places, the signup is no longer possible, see CONF-7497

Samuel Le Berrigaud added a comment - 26/Jul/2007 5:17 AM While usernames are still not encoded in all places, the signup is no longer possible, see CONF-7497

Assignee:: Chris Kiehl

Reporter:: Jeff Turner

Affected customers:: 0 This affects my team

Watchers:: 0 Start watching this issue

Created:: 10/Jan/2007 3:32 AM

Updated:: 11/Oct/2018 8:53 AM

Resolved:: 03/Sep/2008 1:21 AM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: Chris Kiehl added a comment - 02/Sep/2008 2:16 AM, Edited by m@ - 02/Sep/2008 2:26 AM

Expand comment: Chris Kiehl added a comment - 02/Sep/2008 2:16 AM, Edited by m@ - 02/Sep/2008 2:26 AM

Collapse comment: Chris Kiehl added a comment - 13/Aug/2008 11:09 PM, Edited by Chris Kiehl - 02/Sep/2008 2:10 AM

Expand comment: Chris Kiehl added a comment - 13/Aug/2008 11:09 PM, Edited by Chris Kiehl - 02/Sep/2008 2:10 AM

Collapse comment: Samuel Le Berrigaud added a comment - 26/Jul/2007 5:17 AM

Expand comment: Samuel Le Berrigaud added a comment - 26/Jul/2007 5:17 AM

People

Dates