XSS in /secure/admin/TempoServicesAccess.jspa

2013-03-19T00:53:06
ID ATLASSIAN:JRACLOUD-66141
Type atlassian
Reporter sverrir
Modified 2017-04-02T05:04:42

Description

{{allowedIPAccresses}} is passed unfiltered into the results page. Contents of the field persist through the "missing XSRF token" screen, so exploitation is trivial - just get your victim to click on the link without a token.

{noformat} /secure/admin/TempoServicesAccess.jspa?allowedIpAddresses=%3Cxss%3E&atl_token=BYRO-9FU9-UCXC-E6R7%7C1abd1e4580f1776e7c4a257414640e59c92fc1b0%7Clin&atl_token_retry_button=Retry+Operation {noformat}

Response (output appears in 2 places in the page)

{code:html}

    </tr>


                <tr class="descriptionrow">
            <td class="fieldValueArea" colspan="2">
                <div style="width: 80%;" class="aui-message error">
                    Misprint in Allowed addresses? Please check and save again. The offending input: <xss>
                                        </div>
            </td>
        </tr>


    <tr>
        <td class="fieldLabelArea">Allowed addresses</td>
        <td class="fieldValueArea" bgcolor="#ffffff">
            <textarea style="width:90%" rows="10" cols="50" id="allowedIpAddresses" name="allowedIpAddresses"><xss></textarea>
        </td>
    </tr>

{code}

This is probably in Tempo

See fixing HOWTO at https://extranet.atlassian.com/display/SECCOUNCIL/HOWTO+-+Fixing+JIRA+Security+Issues