DOM XSS in dhtmlHistory.js when using IE

2013-12-09T04:14:42
ID ATLASSIAN:JRASERVER-36120
Type atlassian
Reporter ccyd2
Modified 2017-02-20T02:53:20

Description

In the createIE function inside [dhtmlHistory.js|https://stash.atlassian.com/projects/JIRA/repos/jira/browse/jira-components/jira-webapp/src/main/webapp/includes/lib/dhtmlhistory/dhtmlHistory.js#333] the value of the fragment identifier, is concatenated to create the html of an iframe without first being html escaped or url encoded. This results in a DOM XSS which is exploitable in internet explorer.

Steps to reproduce: 1. Create a project named 'testproject' that has a key of 'TESTP' 2. In Internet Explorer Go to https://$jiradomain/$contextpath/browse/TESTP#src="/></iframe><script>alert(3);</script> 3. If an alert prompt containing the number 3 does not appear try refreshing the page. 4. Observe an alert prompt containing the number 3 is shown.