Jira 4.0.1 Cross Site Scripting

Type packetstorm
Reporter MaXe
Modified 2010-07-28T00:00:00


                                            ` Jira - Multiple Low Risk Vulnerabilities  
Versions Affected: 4.0.1 (other versions were not checked.)  
JIRA provides issue tracking and project tracking for software  
development teams to improve code quality and the speed of  
development. (and so forth.)  
External Links:  
Credits: MaXe (no previous vulnerability information about these  
bugs were found.)  
-:: The Advisory ::-  
Jira is prone to Cross Site Script Redirection (XSSR) also known as  
Cross Site Redirection (CSR), Non-Persistent Script Injection and  
Low Risk Information Disclosure.  
Cross Site Script Redirection:  
The "returnUrl" GET-request within ViewIssue.jspa is not sanitizing  
user-input in a sufficient way allowing the Data URI scheme to be  
used in an attack.  
Proof of Concept URL:  
Non-Persistent Script Injection:  
The "returnUrl" GET-request within default.jspa is not sanitizing  
user-input in a sufficient way allowing the javascript URI scheme  
to be used in a conditional attack if the target user clicks the "Cancel"  
button on the target site which is affected by this vulnerability.  
Proof of Concept URL:  
Low Risk Information Disclosure:  
The "reportKey" GET-request within ConfigureReport.jspa is not  
sanitized properly for erroneous input and may cause an exception  
when a value passed to this function is invalid.  
This will disclose information such as:  
- Kernel information  
- MySQL version  
- Plugins enabled  
- Architecture  
- Username the application is running under.  
- Java Version  
- And more..  
Proof of Concept URL:  
-:: Solution ::-  
There is currently no known solution at the moment. Jira is closed  
source and it is therefore not possible to provide a patch nor audit  
the code in order to find any further vulnerabilities easily.  
Disclosure Information:  
- Vulnerabilities found and researched: 23rd July 2010  
- Vulnerabilities disclosed at InterN0T 24th July  
- Bugtraq contacted (again) at: 28th July  
All of the best,