-
Bug
-
Resolution: Fixed
-
Medium
-
2.5.5
-
None
-
Build Information:
confluence.home: /opt/j2ee/domains/atlassian.com/confluence/webapps/atlassian-confluence/data
system.uptime: 5 days, 17 hours, 28 minutes, 31 seconds
system.version: 2.5.5
build.number: 811
The confluence wiki does contain a XSS possibility in the exception error page.
The user input string is NOT output encoded at following lines:
a) - - Query String: url=<script>alert(document.cookie)</script><br>
b) - javax.servlet.forward.query_string : url=<script>alert(document.cookie)</script><br>
c) - atlassian.core.seraph.original.url : /rpc/trackback?url=<script>alert(document.cookie)</script><br>
Please find below a link showing the vulnerability. Please be aware this URL is only an example for the vulnerability. The error is in the missing output encoding in the exception error page.
http://confluence.atlassian.com/rpc/trackback?url=<script>alert(document.cookie)</script>
Generated HTML source:
<p>
<b>Information:</b><br>
URL: http://j2ee.confluence.atlassian.com:8080/500page.jsp<br>
- Scheme: http<br>
- Server: j2ee.confluence.atlassian.com<br>
- Port: 8080<br>
- URI: /500page.jsp<br>
- - Context Path: <br>
- - Servlet Path: /500page.jsp<br>
- - Path Info: null<br>
- - Query String: url=<script>alert(document.cookie)</script><br>
</p>
<p>
<b>Attributes:</b><br>
- javax.servlet.error.exception : java.lang.NullPointerException<br>
- javax.servlet.forward.servlet_path : /rpc/trackback<br>
- os_securityfilter_already_filtered : true<br>
- caucho.forward : true<br>
- com.atlassian.core.filters.gzip.GzipFilter_already_filtered : true<br>
- javax.servlet.jsp.jspException : java.lang.NullPointerException<br>
- javax.servlet.error.exception_type : class java.lang.NullPointerException<br>
- javax.servlet.forward.request_uri : /rpc/trackback<br>
- javax.servlet.error.status_code : 500<br>
- javax.servlet.forward.query_string : url=<script>alert(document.cookie)</script><br>
- javax.servlet.error.request_uri : /rpc/trackback<br>
- atlassian.core.seraph.original.url : /rpc/trackback?url=<script>alert(document.cookie)</script><br>
- loginfilter.already.filtered : true<br>
- javax.servlet.forward.context_path : <br>
</p>
- duplicates
-
-
- Closed
-