-
Type:
Bug
-
Resolution: Fixed
-
Priority:
High
-
Component/s: None
-
7.5
allowedIPAccresses is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link without a token.
/secure/admin/TempoServicesAccess.jspa?allowedIpAddresses=%3Cxss%3E&atl_token=BYRO-9FU9-UCXC-E6R7%7C1abd1e4580f1776e7c4a257414640e59c92fc1b0%7Clin&atl_token_retry_button=Retry+Operation
Response (output appears in 2 places in the page)
</tr>
<tr class="descriptionrow">
<td class="fieldValueArea" colspan="2">
<div style="width: 80%;" class="aui-message error">
Misprint in Allowed addresses? Please check and save again. The offending input: <xss>
</div>
</td>
</tr>
<tr>
<td class="fieldLabelArea">Allowed addresses</td>
<td class="fieldValueArea" bgcolor="#ffffff">
<textarea style="width:90%" rows="10" cols="50" id="allowedIpAddresses" name="allowedIpAddresses"><xss></textarea>
</td>
</tr>
This is probably in Tempo
See fixing HOWTO at https://extranet.atlassian.com/display/SECCOUNCIL/HOWTO+-+Fixing+JIRA+Security+Issues