Cross Site Scripting issue when integration RSS feeds

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: High
    • 2.4.4
    • Affects Version/s: 2.4.2
    • Component/s: None
    • Environment:
      • standalone
      • Windows 2000 Server
      • JDK 1.4.-10

      When integrating RSS feeds Confluence converts "<" and ">" to "<" and ">". This allows the integration of arbitrary javascript into the generated HTML output. Because Confluence seems to allow cross-site-request-forging it may even be possible that a website issues the request to create the page with the infected RSS feed on behalf of the user.

        1. confluence-rss1.PNG
          confluence-rss1.PNG
          10 kB
        2. confluence-rss2.PNG
          confluence-rss2.PNG
          16 kB
        3. rss.xml
          0.4 kB

              Assignee:
              m@ (Inactive)
              Reporter:
              Bjoern Froebe
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: