XSS Vulnerability in jira.issueviews:searchrequest-xml

2017-04-11T19:47:44
ID ATLASSIAN:JRASERVER-65079
Type atlassian
Reporter micah3
Modified 2017-04-12T18:12:25

Description

The endpoint /sr/[jira.issueviews:searchrequest-xml/temp/SearchRequest.xml/|https://jira.uberinternal.com/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml/--] is vulnerable to an XSS injection in certain cases.

Normally, the browser will urlencode its requests, but some proxy servers and load balancers will decode URL data by default. (see [http://stackoverflow.com/questions/31266629/nginx-encoding-normalizing-part-of-uri])

Steps to reproduce:

Send a request using curl: {code:java} curl http://<JIRA URL>/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml/--\>\<script\>alert(\'xss\')\</script\>\<!--?noResponseHeaders=true > example.html

{code} open the file example.html in Firefox