Whoops : error.asp page allows for user-supplied input

XMLWordPrintable

      Issue Summary

      • Any anonymous user is able to craft and supply a query string to the Whoops (error.asp) page
      • The error.asp page seems to ingest & process any payload sent (given the string is shown in the Whoops screen)

      Steps to Reproduce

      1. As an anonymous user, craft a query string like the example below:
        https://<instance>.jiraalign.com/error?d=<user-supplied input>
      2. By using Mozilla, browse to that URL
      • Notice the Whoops error message is displayed, containing the user-supplied string

      Expected Results

      Customer's Expected Behavior

      • Anonymous users should not be able to parse/inject any payload via any ASP page
      • Logged-in users should not be able to parse/inject any payload via https://<instance>.jiraalign.com/error?d=<user-supplied input>

      Actual Results

      • The user-supplied content is displayed in the Whoops page body:

      Workaround

      • Currently there is no known workaround for this behavior. A workaround will be added here when available

        1. Screen Shot 2021-09-08 at 16.54.41.png
          Screen Shot 2021-09-08 at 16.54.41.png
          410 kB

            Assignee:
            Kyle Foreman
            Reporter:
            Rodrigo Cortez
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 1h
                1h