Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 6.3.2
Affects Version/s: None
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Description

The UpdatePField action is vulnerable to reflected XSS when passing an unsanitized fieldId parameter to the Issue-confirmation.vm velocity template.

This issue can be tested with a specially crafted link, such as:

http://10.211.55.9/secure/UpdatePField.jspa?fieldId=');%3C/script%3E%3Cscript%3Ealert('XSS&fieldValue=1&key=SSP-6&id=11519&stepId=-1&decorator=none&selectedProjectId=10202&pageType=PlanningBoard&subType=VersionBoard&type=VB&selectedBoardId=-1&colPage=1

File: greenhopper\src\main\Resources\Atlassian-plugin.xml

<action name="com.pyxis.greenhopper.jira.actions.CardBoardAction" alias="CardBoardAction">
... 
  <command name="updateField" alias="UpdatePField">
    <view name="success">/templates/greenhopper/jira/issue/actions/issue-confirmation.vm</view>
    <view name="error">/templates/greenhopper/jira/issue/actions/issue-confirmation.vm</view>
  </command>
</action>

File:greenhopper\src\main\resources\templates\greenhopper\jira\issue\Actions\Issue-confirmation.vm

Issue-confirmation.vm

#disable_html_escaping()
#if(!$action.errors.isEmpty())
  <span class="gh-error">#foreach($error in $action.errors)$action.getText($error)<br>#end</span>
  <script type="text/javascript">
  #if($action.fieldId)Boards.ffocus('${action.fieldId}In');#end
    GH.Util.hideAll(['opt_wait', 'popup_wait', 'search_wait']);
  </script>
  #else
  ##POSSIBLEXSS
  <script type="text/javascript">
    Boards.needsRefresh = Boards.inSearchMode;
    #if($action.searchBoard)
      #if($action.refresh && $action.selectedBoard.statsPanelSupported) Boards.refreshSearchStats('$action.selectedBoard.searchKey', '${action.escapeJavaScript($action.searchType)}');#end
        #if($action.key) getIssue('$action.selectedBoard.id','$action.issueObject.key').refresh();#end
          Boards.returnToSearch();
        #elseif(!$action.planningBoard && $action.refresh)
          #if($action.id)Boards.getBoardForIssue('$action.issueObject.key',
'${action.escapeJavaScript($action.redirectType)}');
          #else Boards.refreshAll();#end
        #else
          #if($action.simpleUpdate)
            getIssue('$action.selectedBoard.id','$action.key').refresh();
            #if($action.refresh)
              Boards.refreshColumn();
              Boards.mainBoard.refreshMarkers();
            #end
            #else
            #if($action.id)
            
Boards.getBoard('$action.selectedBoard.id').refreshMainBoard(Boards.mainBoard.getStart(), ['$action.key']);
              Boards.refreshColumn();
            #else 
              #if($action.refresh)
                Boards.refreshAll();
              #else
                Boards.getBoard('$action.selectedBoard.id').refreshMainBoard();
                Boards.refreshColumn();
              #end
            #end
          #end
          Boards.closePopup();
        #end
      </script>
    #end

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

UpdatePFieldXSS_browser.PNG
37 kB
28/May/2013 12:09 AM

Issue Links

mentioned in: Page Loading...; Wiki Page Loading...

Activity

People

Assignee:: Unassigned

Reporter:: Daniel

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 28/May/2013 12:09 AM

Updated:: 16/Oct/2018 1:03 AM

Resolved:: 09/Sep/2013 2:10 AM