XSS in /includes/decorators/global-translations.jsp

2016-07-15T02:23:27
ID ATLASSIAN:JRA-61888
Type atlassian
Reporter roberto.soares1696718354
Modified 2017-01-17T22:51:32

Description

Somewhat hard to exploit but still doable when it comes to cache poisoning. Steps to reproduce:

  • Tamper with a GET request to {{http://<JIRA instance>/includes/decorators/global-translations.jsp}} with the {{Host}} header set to some XSS payload (e.g. {code}<script>alert(/xss/)</script>{code}
  • The offending lines in code pick this payload and browser renders it (observe an alert with text "xss")

Offending code in {{/src/main/webapp/includes/decorators/global-translations.jsp#18}}:

{code:java} 17 <input type="hidden" title="ajaxUnauthorised" value="<ww:text name="'common.forms.ajax.unauthorised.alert'"/>"> 18 <input type="hidden" title="baseURL" value="<%=request.getScheme() + "://" +request.getServerName() + ':' + request.getServerPort() + request.getContextPath()%>"> 19 <input type="hidden" title="ajaxCommsError" value="<ww:text name="'common.forms.ajax.commserror'"/>"> {code}