XSS in /secure/admin/TempoServicesAccess.jspa

XMLWordPrintable

    • 7.5

      allowedIPAccresses is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link without a token.

      /secure/admin/TempoServicesAccess.jspa?allowedIpAddresses=%3Cxss%3E&atl_token=BYRO-9FU9-UCXC-E6R7%7C1abd1e4580f1776e7c4a257414640e59c92fc1b0%7Clin&atl_token_retry_button=Retry+Operation
      

      Response (output appears in 2 places in the page)

      
              </tr>
      
      
                          <tr class="descriptionrow">
                      <td class="fieldValueArea" colspan="2">
                          <div style="width: 80%;" class="aui-message error">
                              Misprint in Allowed addresses? Please check and save again. The offending input: <xss>
                                                  </div>
                      </td>
                  </tr>
                  
      
              <tr>
                  <td class="fieldLabelArea">Allowed addresses</td>
                  <td class="fieldValueArea" bgcolor="#ffffff">
                      <textarea style="width:90%" rows="10" cols="50" id="allowedIpAddresses" name="allowedIpAddresses"><xss></textarea>
                  </td>
              </tr>
      

      This is probably in Tempo

      See fixing HOWTO at https://extranet.atlassian.com/display/SECCOUNCIL/HOWTO+-+Fixing+JIRA+Security+Issues

              Assignee:
              Unassigned
              Reporter:
              Sverrir Tynes [Tempo]
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: