-
Bug
-
Resolution: Fixed
-
Highest (View bug fix roadmap)
-
None
-
None
The ChartBoardAction.doSetCurveColor method is vulnerable to persistent XSS when saving an unsanitized color parameter in user preferences. The set method isn’t protected from XSRF, allowing exploitation from remote attackers.
File: greenhopper\src\main\java\com\pyxis\greenhopper\jira\Actions\ChartBoardAction.java
package com.pyxis.greenhopper.jira.actions; import java.io.IOException; import java.util.Set; ... @SuppressWarnings("serial") public class ChartBoardAction extends VersionBoardAction { ... protected String color; ... public String doSetCurveColor() { Set<CurveSettings> settings = getChartContext().getSettings(); for(CurveSettings curveSetting : settings) { if(curveSetting.getId().equals(curveId)) { curveSetting.setColor(color); break; } } getPreferences().setSettings(getChartContext().getSettingsId(), settings); getPreferences().save(); return SUCCESS; } ... public void setColor(String color) { this.color = color; }
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page"){kind=icon}
[JSWSERVER-9069] ChartBoardAction.doSetCurveColor Persistent XSS
How to reproduce this easily:
1. Start Charles proxy
2. Go to Classic board and view chart board, choose cumulative flow chart
3. Click on a colour in the legend and change it
4. Find the request in Charles, something like CCBSetCurveColor.jspa, edit it and set the form param "color" to something like: '"/><script>alert("XSS is evil")</script> and execute
5. Change the chart type and then change back to cumulative flow diagram, you get an alert
Added htmlEncode for colour in legend (can't find anywhere else it's used)
Also added Xsrf check for set chart selection, curve colour and curve visible in ChartBoardAction.