Flash content-type sniffing allows Cross Site Data Hijacking

2014-06-19T07:51:10
ID ATLASSIAN:CONF-34009
Type atlassian
Reporter dblack
Modified 2017-02-17T04:32:29

Description

As documented at http://blog.detectify.com/post/86298380233/the-pitfalls-of-allowing-file-uploads-on-your-website it is possible to upload a flash file to confluence with a different content-type than for flash and when embedded on an attacker's domain will be able to make requests to the confluence instance upon which the flash file is hosted. This bug can be used to steal a user's XSRF/CSRF token.

h3. Steps to reproduce

Set up Confluence instance

Rename a flash file (.swf) to have any image extension (e.g. .png)

Upload the renamed file to Confluence as attachment and ensure that it has an image content type (e.g. image/png)

Open http://0me.me/demo/SOP/CrossDomainDataHijackHelper.html

Enter direct url to the attachment in the "Flash File" field

Enter base url in the "Target Page" field

Click "RUN" button

Current behaviour: Flash file is rendered Expected behaviour: Flash file should not be rendered