Whoops : error.asp page allows for user-supplied input

XMLWordPrintable

      Issue Summary

      • Any anonymous user is able to craft and supply a query string to the Whoops (error.asp) page
      • The error.asp page seems to ingest & process any payload sent (given the string is shown in the Whoops screen)

      Steps to Reproduce

      1. As an anonymous user, craft a query string like the example below:
        https://<instance>.jiraalign.com/error?d=<user-supplied input>
      2. By using Mozilla, browse to that URL
      • Notice the Whoops error message is displayed, containing the user-supplied string

      Expected Results

      Customer's Expected Behavior

      • Anonymous users should not be able to parse/inject any payload via any ASP page
      • Logged-in users should not be able to parse/inject any payload via https://<instance>.jiraalign.com/error?d=<user-supplied input>

      Actual Results

      • The user-supplied content is displayed in the Whoops page body:

      Workaround

      • Currently there is no known workaround for this behavior. A workaround will be added here when available

        1. Screen Shot 2021-09-08 at 16.54.41.png
          Screen Shot 2021-09-08 at 16.54.41.png
          410 kB

              Assignee:
              Kyle Foreman
              Reporter:
              Rodrigo Cortez
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h
                  1h