Reflected xss in the jira-gadgets-plugin getLabelGroups rest resource

2013-01-02T04:17:03
ID ATLASSIAN:JRASERVER-31127
Type atlassian
Reporter dblack
Modified 2018-10-16T00:58:56

Description

The jira-gadgets-plugin LabelsResource class exposes a getLabelGroups rest resource that is vulnerable to reflected xss through the user supplied 'project' path parameter. The vulnerability is caused by building an error response message with a content type of text/html and not html encoding the 'project' parameter when the 'project' parameter cannot be parsed as a long.

An example url demonstrating this flaw looks like: http://$JIRA/jira/rest/gadget/1.0/labels/gadget/%22'%3Cvideo%20onerror=alert(3)%20src=xxxx%3Ealert(3);%3C/script%3E/groups

{code} @GET @Path ("gadget/{project}/{fieldId}/groups") @Produces (MediaType.TEXT_HTML) public Response getLabelGroups(@PathParam ("project") String project, @PathParam ("fieldId") String fieldId) { long projectId; try { projectId = Long.parseLong(StringUtils.substring(project, "project-".length())); } catch (NumberFormatException e) { log.error("Error parsing project id from '" + project + "'"); return Response.status(Response.Status.BAD_REQUEST).entity("Error parsing project id from '" + project + "'").cacheControl(NO_CACHE).build(); }

    return Response.ok(alphabeticalLabelRenderer.getHtml(authenticationContext.getLoggedInUser(), projectId, fieldId, true)).cacheControl(NO_CACHE).build();
}

{code}