reflected xss in the pageId request parameter in 500page.jsp

2012-08-09T03:15:04
ID ATLASSIAN:CONFSERVER-26270
Type atlassian
Reporter dblack
Modified 2017-02-17T05:24:38

Description

A scanner picked up that the pageId parameter in 500page.jsp is a potentially reflected xss bug. This can be exploited through a url like the following: https://example.com/pages/viewtrash.vm;editpage?pageId=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

{code}

<%
    String uri = (String)request.getAttribute("javax.servlet.error.request_uri");
    if(uri != null && uri.contains("editpage"))
    {
        String editDraft = context + "/pages/editpage.action?useDraft=true&pageId=" + request.getParameter("pageId");
        %>
        <div class="panel warning">
            <img id="draftNote" alt="" src="<%= context %>/images/icons/emoticons/warning.png">
            You can <a href="<%= editDraft %>">resume editing</a> the most recently saved draft of your page.
        </div>
    <% 
    }
%>

{code}