Looks good now, cannot reproduce any longer

Have to throw it back as I am still seeing the injection in GH latest (6.0.2-SNAPSHOT)

bbaker is there a reason GHCreateNewIssue.jspa isn't protected against xsrf? (I'll open a new issue about this).

I had trouble reproducing this issue with url in the summary so I went through the planning board and watched how the GHCreateNewIssue.jspa was used and was able to construct the following (working) url to demonstrate this reflected xss:

https://wpad.jira-dev.com/jira/secure/GHCreateNewIssue.jspa?colPage=1&createNext=true&decorator=none&fieldsKeys=priority%2Csummary%2CfixVersions%2Ccomponents%2Ctimeoriginalestimate%2Cassignee%2Creporter%2Ccustomfield_100039fd29%3Cscript%3Ealert%28%27iSEC%27%29%3C/script%3E15d31825f8e9d6606&fieldsValues=1%40%25%40asdasdfsdf%40%25%40-1%40%25%40-1%40%25%40%20%40%25%400%40%25%40admin&forcedFieldsKeys=&forcedFieldsValues=&issueType=7&key=&pageType=PlanningBoard&projectId=&selectedBoardId=-1&selectedProjectId=10000&subType=VersionBoard&type=VB

Good point. Its 6.0.2-SNAPSHOT at the moment since we dont plan to have a relase for 2 weeks starting today. pobara can you work with David to facilitate some extra security QA please. Peter is in the US at the moment and hence its Sunday there right now.

bbaker I would need to know what version of greenhopper to test against (or where to get/test the version in which this issue is fixed).

jhinch was not able to replicate this problem per se (eg cause an alert) but he did see where we were not encoding correctly.

So he fixed that and tested that it encodes. pobara can you talk to jason about how he did this.

dblack can you do some more testing if you choose to help verify that this has indeed been fixed. Subject to Petes QA we are ready to declare this done.

mtokar Still need your help with (possibly) correcting my URL args, as I can't get this to work with the instructions/URL provided.

Trying to verify this as fixed, ran into an NPE, but likely is from a malformed URL:

ERROR admin 814x1041x1 1vvp0z0 0:0:0:0:0:0:0:1%0 /secure/GHCreateNewIssue.jspa [greenhopper.jira.util.IssueCreationManager] java.lang.NullPointerException
[INFO] [talledLocalContainer] 2012-08-07 13:34:07,401 http-2990-4 WARN admin 814x1041x1 1vvp0z0 0:0:0:0:0:0:0:1%0 /secure/GHCreateNewIssue.jspa [atlassian.greenhopper.service.I18nFactoryServiceImpl] null key passed to i18n.getText
[INFO] [talledLocalContainer] java.lang.IllegalArgumentException: The key argument must not be null
[INFO] [talledLocalContainer] at com.atlassian.greenhopper.service.I18nFactoryServiceImpl$I18nHelperWrapper.nullCheck(I18nFactoryServiceImpl.java:207)
[INFO] [talledLocalContainer] at com.atlassian.greenhopper.service.I18nFactoryServiceImpl$I18nHelperWrapper.getText(I18nFactoryServiceImpl.java:116)
[INFO] [talledLocalContainer] at com.pyxis.greenhopper.jira.util.I18nImpl.getText(I18nImpl.java:44)
[INFO] [talledLocalContainer] at com.pyxis.greenhopper.jira.boards.context.DefaultBoardContext.getText(DefaultBoardContext.java:758)
[INFO] [talledLocalContainer] at com.pyxis.greenhopper.jira.actions.BoardAction.getText(BoardAction.java:613)
[INFO] [talledLocalContainer] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

CVSS score: 7.5 => High severity
 
Exploitability Metrics

 
Impact Metrics

See https://extranet.atlassian.com/display/SECCOUNCIL/How+to+evaluate+vulnerability+severity+under+CVSS for details and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 for score calculator.