Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-39318

Escape or filter script tags in "all activity" panel

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Fix
    • Medium
    • None
    • 6.2.5
    • None

    Description

      We've got an external report about a third party plugin:

      From: Vincent Ollivier <vincentollivier@hpjsolutions.com>
      Date: 29 July 2014 13:12
      Subject: JIRA 6.2.5 / JEditor XSS Vulnerability
      To: security@atlassian.com

      Hi,

      Sorry for the email, I couldn't find the correct project to report this security issue.
      There's an XSS in JEditor comments and details textareas (https://marketplace.atlassian.com/plugins/com.jiraeditor.jeditor#support).

      1) Add the following comment, in "source mode" : <iframe/src=javascript:alert(document.cookie)>
      2) Delete the comment
      3) Open the "all" tab under the activities panel.

      You should get an alert box with a cookie displayed in it.

      You can contact me if you need more informations.

      Sincerely,
      Vincent OLLIVIER

      I replied that the plugin needs to be fixed.

      We need to do something with the output to "all" activities panel (and probably others?) to defend against sloppily coded third party plugins. Force encode? Strip script tags before outputting them?

      Opinions welcome.

      Attachments

        Activity

          People

            Unassigned Unassigned
            vosipov VitalyA
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: