Jira 4.0.1 cross site scripting

2010.07.29
Credit: MaXe
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Jira - Multiple Low Risk Vulnerabilities Versions Affected: 4.0.1 (other versions were not checked.) Info: JIRA provides issue tracking and project tracking for software development teams to improve code quality and the speed of development. (and so forth.) External Links: http://www.atlassian.com/software/jira/ Credits: MaXe (no previous vulnerability information about these bugs were found.) -:: The Advisory ::- Jira is prone to Cross Site Script Redirection (XSSR) also known as Cross Site Redirection (CSR), Non-Persistent Script Injection and Low Risk Information Disclosure. Cross Site Script Redirection: The "returnUrl" GET-request within ViewIssue.jspa is not sanitizing user-input in a sufficient way allowing the Data URI scheme to be used in an attack. Proof of Concept URL: ViewIssue.jspa?id=[VALID_ID]&watch=true&returnUrl=data:text/html,<script>alert(0)</script> Non-Persistent Script Injection: The "returnUrl" GET-request within default.jspa is not sanitizing user-input in a sufficient way allowing the javascript URI scheme to be used in a conditional attack if the target user clicks the "Cancel" button on the target site which is affected by this vulnerability. Proof of Concept URL: AttachFile!default.jspa?id=[VALID_ID]&returnUrl=javascript:alert(0)';foo=' Low Risk Information Disclosure: The "reportKey" GET-request within ConfigureReport.jspa is not sanitized properly for erroneous input and may cause an exception when a value passed to this function is invalid. This will disclose information such as: - Kernel information - MySQL version - Plugins enabled - Architecture - Username the application is running under. - Java Version - And more.. Proof of Concept URL: ConfigureReport.jspa?selectedProjectId=[VALID_ID]&reportKey='invalid&Next=Next -:: Solution ::- There is currently no known solution at the moment. Jira is closed source and it is therefore not possible to provide a patch nor audit the code in order to find any further vulnerabilities easily. Disclosure Information: - Vulnerabilities found and researched: 23rd July 2010 - Vulnerabilities disclosed at InterN0T 24th July - Bugtraq contacted (again) at: 28th July References: http://forum.intern0t.net/intern0t-advisories/2861-jira-enterprise-4-0-1-multiple-low-risk-vulnerabilities.html All of the best, MaXe


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top