Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-39318

Escape or filter script tags in "all activity" panel

XMLWordPrintable

      We've got an external report about a third party plugin:

      From: Vincent Ollivier <vincentollivier@hpjsolutions.com>
      Date: 29 July 2014 13:12
      Subject: JIRA 6.2.5 / JEditor XSS Vulnerability
      To: security@atlassian.com

      Hi,

      Sorry for the email, I couldn't find the correct project to report this security issue.
      There's an XSS in JEditor comments and details textareas (https://marketplace.atlassian.com/plugins/com.jiraeditor.jeditor#support).

      1) Add the following comment, in "source mode" : <iframe/src=javascript:alert(document.cookie)>
      2) Delete the comment
      3) Open the "all" tab under the activities panel.

      You should get an alert box with a cookie displayed in it.

      You can contact me if you need more informations.

      Sincerely,
      Vincent OLLIVIER

      I replied that the plugin needs to be fixed.

      We need to do something with the output to "all" activities panel (and probably others?) to defend against sloppily coded third party plugins. Force encode? Strip script tags before outputting them?

      Opinions welcome.

            [JRASERVER-39318] Escape or filter script tags in "all activity" panel

            Bugfix Automation Bot made changes -
            Minimum Version New: 6.02
            Owen made changes -
            Workflow Original: JAC Bug Workflow v2 [ 2844349 ] New: JAC Bug Workflow v3 [ 2915749 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: JIRA Bug Workflow w Kanban v7 - Restricted [ 2581823 ] New: JAC Bug Workflow v2 [ 2844349 ]
            Ignat (Inactive) made changes -
            Workflow Original: JIRA Bug Workflow w Kanban v6 - Restricted [ 1542937 ] New: JIRA Bug Workflow w Kanban v7 - Restricted [ 2581823 ]
            Confluence Escalation Bot (Inactive) made changes -
            Labels Original: cvss-high security New: affects-server cvss-high security
            Owen made changes -
            Workflow Original: JIRA Bug Workflow w Kanban v6 [ 703253 ] New: JIRA Bug Workflow w Kanban v6 - Restricted [ 1542937 ]
            Security Metrics Bot made changes -
            Labels Original: security New: cvss-high security
            VitalyA made changes -
            Security Original: Reporters and Developers [ 10021 ]
            Oswaldo Hernandez (Inactive) made changes -
            Resolution New: Won't Fix [ 2 ]
            Status Original: Open [ 1 ] New: Resolved [ 5 ]
            VitalyA made changes -
            CVSS Score New: 6.5

              Unassigned Unassigned
              vosipov VitalyA
              Affected customers:
              0 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: