-
Bug
-
Resolution: Fixed
-
Medium
-
5.2.11, 6.2, 6.2.2
-
None
-
5.02
-
4.3
-
If JIRA is configured for HTTPS connections (in both "redirect HTTP to HTTPS" and "HTTPS only" modes), then the following redirects are possible. This does not occur in HTTP configs.
The os_destination parameter on the login.jsp page (and other pages once logged in - see technical details below) allows you to redirect to any site if the URL is prefixed with two slashes.
Reproduction
- Browse to the following link (replacing jira.example.com with your own test server).
- https://jira.example.com/login.jsp?os_destination=%2F%2Fatlassian.com
- Log in, and see that your browser is redirected to atlassian.com.
Example reque
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
X-AREQUESTID: 903x5883x1
X-ASESSIONID: lw2agc
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Seraph-LoginReason: OK
Location: https://atlassian.com
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Tue, 22 Apr 2014 22:03:47 GMT
I was only able to get redirects to work if the redirect URL begins with // (or %2F%2F when URL-encoded). Having special characters (such as the colon in http://) will redirect the user to the dashboard page, so it seems you can't redirect to the user to links with any other protocols.
If the user is already logged in, it doesn't seem to matter which page the os_destination parameter is on. Even if it's a page that doesn't exist, it will still redirect the user immediately. For example:
https://jira.example.com/ThisCanBeAnything?os_destination=%2F%2Fatlassian.com
https://jira.example.com/AnythingYouWant?os_destination=%2F%2Fatlassian.com
I tested this on versions 5.2.11, 6.2, and 6.2.2, but other versions are likely vulnerable as well.
Solution
Confluence solves this problem by concatenating the site's URL with the contents of os_destination. So for our above example, it would redirect you to https://jira.example.com//atlassian.com which is still an example.com site.
Alternatively, you could have any os_destination that begins with // just redirect the user to the dashboard like what is done with special characters.
