The JIRA/Crowd applications fail to properly sanitize user input in the query string of the website or in the value of a parameter

2012-09-10T04:14:25
ID ATLASSIAN:JRACLOUD-29640
Type atlassian
Reporter rkumar66
Modified 2017-04-12T22:57:03

Description

{panel:bgColor=#e7f4fa} NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? [See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-29640]. {panel}

We need to avoid Cross-site Scripting vulnerabilities. A function should be created to provide server side and client side input validation where applicable. Special characters should be stripped out during the validation process. The following special characters should be stripped out if unnecessary: [1] | (pipe sign) [2] & (ampersand sign) [3] ; (semicolon sign) [4] $ (dollar sign) [5] % (percent sign) [6] @ (at sign) [7] ' (single apostrophe) [8] " (quotation mark) [9] \' (backslash-escaped apostrophe) [10] \" (backslash-escaped quotation mark) [11] <> (triangular parenthesis) [12] () (parenthesis) [13] + (plus sign) [14] CR (Carriage return, ASCII 0x0d) [15] LF (Line feed, ASCII 0x0a) [16] , (comma sign) [17] \ (backslash)

During testing, we found following urls to reproduce the Cross-site scripting (XSS) vulnerabilities.

https://del-test.sapient.resultspace.com/jira/rest/api/1.0/labels/suggest

Vulnerable Parameters: query, suggest

https://del-test.sapient.resultspace.com/jira/rest/gadget/1.0/createdVsResolved/generate

Vulnerable Parameters : projectOrFilterId

https://del-test.sapient.resultspace.com/jira/rest/gadget/1.0/createdVsResolved/validate

Vulnerable Parameters: projectOrFilterId, validate

https://deltest.sapient.resultspace.com/jira/rest/greenhopper/1.0/context-list/generate

Vulnerable Parameters: projectId,generate

https://deltest.sapient.resultspace.com/jira/rest/greenhopper/1.0/versionBoardlist/generate

Vulnerable Parameters: projectId, generate

Please find the attachment Cross_Site_Scripting.txt file for details in response.