Confluence Wiki 4.1.4 Cross Site Scripting

2012-09-15T00:00:00
ID PACKETSTORM:116585
Type packetstorm
Reporter INTREST SEC
Modified 2012-09-15T00:00:00

Description

                                        
                                            `-------------------------------  
INTREST SEC | Security Advisory  
-------------------------------  
  
  
Product: Confluence Wiki  
Vendor: Atlassian (www.atlassian.com)  
Vulnerability Type: Cross Site Scripting (XSS)  
Risk Level: High (classified by vendor)  
Discovered by: INTREST SEC - NID  
Public Diclosure: 2012/09/12  
Vendor Notification: 2012/02/07  
Tested Versions: 3.5.9, 4.0.3, 4.1.4  
CVSS Score: 7.5  
  
  
## Details  
  
Atlassian Confluence is described as "Collaboration tool for teams to  
create, share, and discuss rich content - docs, files, ideas, specs,  
diagrams, mockups, anything". (www.atlassian.com)  
  
  
## Description  
  
A security vulnerability within Atlassian Confluence Wiki has been  
identified. It is remotely exploitable and based on the CWE-79 family  
Cross-Site-Scripting (XSS). Confluence allows input passed in the URL to  
be injected into the HTML structure of an error-page in an unsafe and  
unsanitized way. Therefore it is possible to inject nonpersistent  
JavasScript code. This vulnerability does not require authentication of  
the victim and can easily be exploited by manipulating the GET request.  
  
  
## Proof of Concept  
  
The following URL triggers the XSS by including <IFRAME  
SRC="javascript:alert('XSS')"> into the error page:  
  
http://localhost:8090/pages/includes/  
status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%28%27XSS%27%29%22%3E.vm  
  
  
## Solution  
  
According to the vendor, upgrade to Confluence 4.1.9 or later.  
  
  
## References  
  
[1] Atlassian Security Advisory  
https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-09-11  
  
  
## Time Table  
  
[2012/02/07] Informed vendor about the vulnerability via ticketing system  
[2012/02/08] Informed vendor that Atlassian JIRA (at least 4.4.3 and  
4.4.4) is also infected  
[2012/02/09] Vendor created a ticket for JIRA vulnerability  
[2012/02/09] Vendor response: JIRA problem already known. "The fix  
should be available in JIRA 5.0 or 5.0.1"  
[2012/03/21] Vendor tagged ticket as fixed.  
[2012/04/02] Asked vendor about things like patch release date,  
requesting a CVE number, releasing an advisory  
[2012/04/03] Vendor response: No dedicated Patch; Version 4.1.9 has been  
released; no CVE will requested by vendor  
[2012/08/27] Vendor defined advisory release date to 2012/09/11  
[2012/08/27] Informed vendor about additional advisory release through  
INTREST SEC  
[2012/09/11] Vendor released advisory  
[2012/09/13] INTREST SEC released advisory  
  
  
--  
  
INTREST SEC  
Intelligent Information Security  
-----------------------------------------------------------------------  
Kommunalstrasse 15 - A-4020 Linz - Austria  
Tel. +43 (0) 732 / 341 060  
Fax. +43 (0) 732 / 341 060 - 20  
researchlab [at] intrest.at | www.intrest-sec.com  
-----------------------------------------------------------------------  
  
  
  
  
  
  
`