[JSWCLOUD-6705] XSS in redirectType parameter on SearchBoard.jspa

Type: Bug
Resolution: Fixed
Priority: Medium
Component/s: None
Labels:
- cvss-high
- security

Bug Fix Policy:
View Atlassian Cloud bug fix policy

NOTE: This bug report is for JIRA Software Cloud. Using JIRA Software Server? See the corresponding bug report.

This is difficult to reproduce - needs tampering with the post data for the page.

On Classic Board, go to the search box. Tamper with the posted data and add the parameter redirectURL with something like:
redirectType=xxx"><img src=u onerror=alert(1)>
(Note: it doesn't work if you use <script></script> tags)

You need to have > 1 page of search results - more than 30 by default, or change the Issues Per Page in the Tools > User Preferences section.

The image is rendered within the page numbers.

is related to

JSWSERVER-6705 XSS in redirectType parameter on SearchBoard.jspa

Closed

Michael Tokar added a comment - 26/Nov/2012 3:27 AM

QA-ed with Jo when she was developing the fix.

Michael Tokar added a comment - 26/Nov/2012 3:27 AM QA-ed with Jo when she was developing the fix.

ig (Inactive) added a comment - 23/Nov/2012 12:53 AM

Code review?

ig (Inactive) added a comment - 23/Nov/2012 12:53 AM Code review?

David Black added a comment - 23/Nov/2012 12:11 AM

CVSS score: 7.5 => High severity

Exploitability Metrics

AccessVector	Network
AccessComplexity	Low
Authentication	None

Impact Metrics

ConfImpact	Partial
IntegImpact	Partial
AvailImpact	Partial

See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

David Black added a comment - 23/Nov/2012 12:11 AM CVSS score: 7.5 => High severity Exploitability Metrics AccessVector Network AccessComplexity Low Authentication None Impact Metrics ConfImpact Partial IntegImpact Partial AvailImpact Partial See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.

JoanneA (Inactive) added a comment - 21/Nov/2012 12:29 AM

Checked in on branch ~~GHS-5562~~-XSS-bug, please test with ~~GHS-5562~~.

Changed from escapeJavaScript to htmlEncode - this ensures that all characters including ", <, > are encoded instead of just prefixed with \

JoanneA (Inactive) added a comment - 21/Nov/2012 12:29 AM Checked in on branch GHS-5562 -XSS-bug, please test with GHS-5562 . Changed from escapeJavaScript to htmlEncode - this ensures that all characters including ", <, > are encoded instead of just prefixed with \

Assignee:: Unassigned

Reporter:: JoanneA (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 4 Start watching this issue

Created:: 21/Nov/2012 12:27 AM

Updated:: 29/Aug/2019 12:49 AM

Resolved:: 27/Nov/2012 10:23 PM

Jira Cloud

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: Michael Tokar added a comment - 26/Nov/2012 3:27 AM

Expand comment: Michael Tokar added a comment - 26/Nov/2012 3:27 AM

Collapse comment: ig (Inactive) added a comment - 23/Nov/2012 12:53 AM

Expand comment: ig (Inactive) added a comment - 23/Nov/2012 12:53 AM

Collapse comment: David Black added a comment - 23/Nov/2012 12:11 AM

Expand comment: David Black added a comment - 23/Nov/2012 12:11 AM

Collapse comment: JoanneA (Inactive) added a comment - 21/Nov/2012 12:29 AM

Expand comment: JoanneA (Inactive) added a comment - 21/Nov/2012 12:29 AM

People

Dates