-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Medium
-
Affects Version/s: 5.0.3
-
Component/s: Application Links
-
5
-
4.3
The ConsumerConfigurationServlet servlet has an open redirect vulnerability in the doGet method that will allow phishers to lure users away from legitimate JIRA hosted sites. An open redirect vulnerability is caused by an attacker having control over a request parameter that hasn’t been validated before redirect. Using a relative URL or validating the argument before use should fix the issue.
File: applinks-plugin\src\main\java\com\atlassian\applinks\core\auth\Trusted\ConsumerConfigurationServlet.java
ConsumerConfigurationServlet.java
@Override protected void doGet(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException { try { // Enable web sudo protection if needed and if the app we are running in supports it webSudoManager.willExecuteWebSudoRequest(request); if (peerHasUAL(request)) { configureTrustAndRedirect(request, response); ... private void configureTrustAndRedirect(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException { final String callbackUrl = getRequiredParameter(request, "callbackUrl"); final Action action = getAction(request); final ApplicationLink applicationLink; try { applicationLink = getRequiredApplicationLink(request); } catch (NotFoundException ex) { response.sendRedirect(buildCallBackUrl(callbackUrl, action, true, null)); ... private String buildCallBackUrl(final String callbackUrlBase, final Action action, final boolean success, final String message) { final StringBuilder buf = new StringBuilder(callbackUrlBase) .append(callbackUrlBase.contains("?") ? '&' : '?') .append("action=").append(action.name()) .append('&') .append("result=").append(success ? "success" : "failure"); if (!StringUtils.isBlank(message)) { buf.append("&message=" + URIUtil.utf8Encode(message)); } return buf.toString(); }
