Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-9559

Cross-site scripting vulnerability in /dashboard.action

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 2.5.7
    • Fix Version/s: 2.7.3
    • Component/s: None
    • Environment:

      Apache Http, 2.5.7 standalone, windows server 2003, Watchfire AppScan 7.6

      Description

      The test successfully embedded a script in the response, which will be executed once the page
      is loaded in the user's browser. This means that the application is vulnerable to the Cross-Site
      Scripting attack.

      [1 of 3] Cross-Site Scripting in Parameter Name
      Severity: High
      Test Type: Application
      Vulnerable URL: http://xxx.yyy.com:8080/dashboard.action
      Remediation Tasks: Filter out hazardous characters from user input
      Variant 1 of 2 [ID=2465]
      The following changes were applied to the original request:
      • Added parameter '>'"><script>alert('Watchfire%20XSS%20Test%20Successful')</script>'
      Request/Response:
      GET /dashboard.action?>'"><script>alert('Watchfire%20XSS%20Test%20Successful')
      </script> HTTP/1.1
      Cookie: seraph.confluence=Zh\hNiQi[hZiOf]fOm\fOfUgSfZfWkYkWk;
      confluence.list.pages.cookie=list-recently-updated;
      confluence.browse.space.cookie=space-pages;
      JSESSIONID=4DAEC007BFA3515EC02547862F6B66E4
      Accept: /
      Accept-Language: en-us
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
      1.1.4322; .NET CLR 1.0.3705; InfoPath.1; .NET CLR 2.0.50727)
      Host: xxx.yyyy.com:8080
      Connection: Keep-Alive
      HTTP/1.1 200 OK
      Content-Length: 46506
      Server: Apache-Coyote/1.1
      Cache-Control: no-cache, no-store, must-revalidate
      Pragma: no-cache
      Expires: Thu, 01 Jan 1970 00:00:00 GMT
      Content-Type: text/html;charset=UTF-8
      Date: Wed, 22 Aug 2007 13:48:24 GMT
      <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
      "http://www.w3.org/TR/html4/loose.dtd">
      <html>
      <head>
      <title>Dashboard - MRLwiki TEST</title>
      <META HTTP-EQUIV="Pragma" CONTENT="no-cache">
      <META HTTP-EQUIV="Expires" CONTENT="-1">
      <script language="javascript">
      var contextPath = '';
      var i18n = [];
      </script>
      <link rel="stylesheet" href="/s/809/1/1/_/styles/mainaction.
      css" type="text/css" />
      <link rel="shortcut icon" href="/images/icons/favicon.ico">
      <link rel="icon" type="image/png" href="/images/icons/favicon.png">
      <script type="text/javascript"
      src="/s/809/1/_/decorators/effects.js"></script>
      9/18/2007 1:55:06 PM 23/7570
      <link rel="alternate" type="application/rss+xml"
      title="Dashboard RSS Feed"
      href="/spaces/createrssfeed.action?
      types=page&types=blogpost&types=comment&spaces=&sort=modified&title=Dashboard+RSS+Fe
      ed&maxResults=15&publicFeed=false&os_authType=basic&rssType=rss2" />
      <link rel="alternate" type="application/atom+xml"
      title="Dashboard RSS Feed"
      href="/spaces/createrssfeed.action?
      types=page&types=blogpost&types=comment&spaces=&sort=modified&title=Dashboard+RSS+Fe
      ed&maxResults=15&publicFeed=false&os_authType=basic&rssType=atom" />
      <script type="text/javascript" src="/scripts/write.js"></script>
      </head>
      <body onload="placeFocus()">
      <script type="text/javascript">
      function hideMessage(messageId)

      { var message = document.getElementById(messageId) message.style.display = "none"; setCookie(messageId, true); }

      </script>
      <div id="PageContent">
      <table border="0" cellpadding="0" cellspacing="0" width="100%">
      <tr class="topBar">
      <td align="left" width="85%">
      <a href="/homepage.action"><img src="/download/userResources/logo"
      align="absmiddle" border="0"></a> 
      <span class="topBarDiv">
      Dashboard
      </span>
      </td>
      <td align="right" valign="middle" style="white-space:nowrap">
      <form method="POST" action="/dosearchsite.action"
      name="searchForm" style="padding: 1px; margin: 1px">
      <input type="hidden" name="quickSearch" value="true" />
      <input type="hidden" name="searchQuery.spaceKey" value="conf_global" />
      <input type="text" accessKey="s" name="searchQuery.queryString" size="25"/>
      <input type="submit" value="Search"/>
      </form>
      </td>
      </tr>
      <tr>
      <td style="padding: 5px" colspan="2">
      <table style="padding: 0px; margin: 0px 5px; width: 100%;"
      cellspacing="0" cellpadding="1" border="0">
      <tr>
      9/18/2007 1:55:06 PM 24/7570
      <td valign="bottom" align="left" width="1%"
      nowrap> 
      <span class="logoSpaceLink">  
      </span>
      </td>
      <td align="right" valign="top" width="98%">
      <span class="smalltext" id="userNavBar">
      Welcome <a href="/display/~VULNSCAN"></a> |
      <a href="/users/viewuserprofile.action?
      username=VULNSCAN">Preferences</a> |
      <a href="/logout.action" id="logout">Log Out</a> 
      </span>
      ...
      Validation In Response:
      • Spaces:
      <li><a href="#" onClick="gotoUrl('/dashboard.action?>'">
      <script>alert('Watchfire XSS Test Successful')</script>=&spacesSelectedTab=my');
      return false;">My</a></li>
      <li><a href="#
      Reasoning:
      The test successfully embedded a script in the response, which will be executed once the page
      is loaded in the user's browser. This means that the application is vulnerable to the Cross-Site
      Scripting attack.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              don.willis@atlassian.com Don Willis
              Reporter:
              marois Jean Marois
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: