Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 6.1.6, 6.2-OD-6
Affects Version/s: 6.1.2, 6.1.4
Component/s: None
Labels:

Introduced in Version:
6.01
CVSS Score:
6.8
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

In the createIE function inside dhtmlHistory.js the value of the fragment identifier, is concatenated to create the html of an iframe without first being html escaped or url encoded. This results in a DOM XSS which is exploitable in internet explorer.

Steps to reproduce:
1. Create a project named 'testproject' that has a key of 'TESTP'
2. In Internet Explorer Go to https://$jiradomain/$contextpath/browse/TESTP#src="/></iframe><script>alert(3);</script>
3. If an alert prompt containing the number 3 does not appear try refreshing the page.
4. Observe an alert prompt containing the number 3 is shown.

Attachments

Issue Links

relates to

JRASERVER-27704 Remove /includes/blank.html

Closed

mentioned in: Page Loading...

Activity

People

Assignee:: Roman Tekhov (Inactive)

Reporter:: clarence chen

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 09/Dec/2013 4:14 AM

Updated:: 28/Mar/2019 12:12 AM

Resolved:: 14/Jan/2014 4:25 AM