Atlassian Jira 7.1.7 Cross Site Scripting

`=====[ Tempest Security Intelligence -ADV-2/2016 CVE-2016-6285 ]==========  
  
Reflected Cross-Site Scripting (XSS) in Atlassian Jira Software  
---------------------------------------------------------------  
  
Author(s):  
  
- Roberto Soares  
- roberto.soares () tempest.com.br  
  
Tempest Security Intelligence - Recife, Pernambuco - Brazil  
  
=====[ Table of Contents ]================================================  
  
1. Overview  
2. Detailed description   
3. Affected versions & Solutions   
4. Timeline of disclosure   
5. Thanks & Acknowledgements   
6. References  
  
=====[ 1. Overview ]=======================================================  
  
* System affected : Atlassian JIRA Software  
* Model : JIRA Software 7.1.7 (other version may be affected)  
* Software Version : 7.1.7  
Other versions or models may also be affected.  
* Impact : Cross-site scripting (XSS) is a code injection   
attack that allows an attacker to execute malicious  
JavaScript in another user's browser.  
* Asset description : JIRA is a proprietary issue tracking product,  
developed by Atalassian [1]. It provides bug  
tracking, issue tracking and projec management  
functions to over 25.000 customers in 122 conuntries  
around the globe.  
  
=====[ 2. Detailed description ]===========================================  
  
During a code review analysis recently undergone by JIRA we were able to  
verify the existence of a reflected Cross-Site Scripting (XSS)   
vulnerability.  
In order to perform this analysis we made use of Linux's grep tool. As a  
means to find possible stretches of vulnerable code an example of grep's  
syntax is shown below:  
  
$ grep -ni 'request.getServerName()' * -R  
  
This, in turn, returned a suspicious piece of code in /src/main/webapp/  
includes/decorators/global-translations.jsp, line 18:  
  
...snip...  
17 <input type="hidden" title="ajaxUnauthorised" value="<ww:text name="  
'common.forms.ajax.unauthorised.alert'"/>">  
18 <input type="hidden" title="baseURL" value="<%=request.getScheme() +   
"://" +request.getServerName() + ':' + request.getServerPort() +   
request.getContextPath()%>">  
19 <input type="hidden" title="ajaxCommsError" value="<ww:text   
name="'common.forms.ajax.commserror'"/>">   
...snip...  
  
This vulnerability happens because a string is created on line 18 that  
uses an non-validated value from the request, in this case, the   
"request.getServerName()" method, that returns the host name of the  
server to which the request was sent.  
  
This message eventually is part of the page that is sent back to the user.  
If a malicious value is sent in the request, it may be possible to perform  
a cross-site scripting attack. In this case, in order to mitigate this  
problem, we recommend not supplying the value as part of the message sent  
back to the user. However, if the value must be part of the message, then  
we recommend ensuring proper validation and leveraging appropriate output  
enconding.  
  
The reflected XSS is caused as a response of the following request:  
  
GET /includes/decorators/global-translations.jsp HTTP/1.1  
Host: "><script>alert(/xss/)</script>  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip,deflate  
DNT: 1  
Cookie: JSESSIONID={redacted}  
Connection: close  
Cache-Control: max-age=0  
  
Steps to reproduce:  
  
* Tamper with a GET request to http://jira_instance/includes/decorators/  
global-translations.jsp with the Host header set to some XSS payload   
(e.g. "><script>alert(/xss/)</script>);  
  
* The offending lines in code pick this payload and browser renders it   
(observe an alert with text "xss").  
  
=====[ 3. Affected versions & Solutions ]==================================  
  
This test was performed against Atlassian Jira Software version 7.1.7.  
  
According to vendor's response, the vulnerability is addressed and the fix  
is part of the 7.2.2 Server release.  
  
=====[ 4. Timeline of disclosure ]=========================================  
  
- Jul/13/2016 : Vendor contacted by Atlassian Security Service Desk Portal  
(https://securitysd.atlassian.net/servicedesk/customer/  
portals);  
- Jul/15/2016 : Vendor first responded to the recognition of vulnerability;  
- Jul/16/2016 : Vendor suggested the creation of an account on the portal  
https://jira.atlassian.com/;  
- Jul/17/2016 : Account Created.  
- Sep/27/2016 : Vendor released the fix for the vulnerability in version   
7.2.2 Server.  
  
=====[ 5. Thanks & Acknowledgements ]======================================  
  
- Tempest Security Intelligence / Tempest's Pentest Team [2]  
- Joaquim Brasil - joaquim () tempest.com.br  
  
=====[ 6. References ]=====================================================  
  
[1] https://www.atlassian.com  
[2] http://www.tempest.com.br  
`