Reflected cross-site scripting (XSS) in dosearchsite action

2013-10-01T10:54:49
ID ATLASSIAN:CONF-31012
Type atlassian
Reporter phillip.langlois
Modified 2017-02-17T05:48:09

Description

The dosearchsite action is vulnerable to reflected cross-site scripting (XSS) via the searchQuery.spaceKey parameter. This vulnerability appears to be very similar to issue CONF-30318 and fixes implemented in response to that issue may fix this vulnerability.

If the URL below is visited by an authenticated user of Confluence, the embedded script executes in the context of the user:

http://confluenceserver:8090/dosearchsite.action?searchQuery.queryString=test&searchQuery.spaceKey=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E

It should be noted that this is a non-trivial example of XSS - the page returned from this URL contains the embedded script, html encoded, as the value of an input tag in a div of class "filter-wrapper space-filter". XSS is triggered when this div is processed by javascript associated with the page.