Jira 4.0.1 Cross Site Scripting

2010-07-28T00:00:00
ID PACKETSTORM:92250
Type packetstorm
Reporter MaXe
Modified 2010-07-28T00:00:00

Description

                                        
                                            ` Jira - Multiple Low Risk Vulnerabilities  
  
  
Versions Affected: 4.0.1 (other versions were not checked.)  
  
Info:  
JIRA provides issue tracking and project tracking for software  
development teams to improve code quality and the speed of  
development. (and so forth.)  
  
External Links:  
http://www.atlassian.com/software/jira/  
  
Credits: MaXe (no previous vulnerability information about these  
bugs were found.)  
  
  
-:: The Advisory ::-  
Jira is prone to Cross Site Script Redirection (XSSR) also known as  
Cross Site Redirection (CSR), Non-Persistent Script Injection and  
Low Risk Information Disclosure.  
  
Cross Site Script Redirection:  
The "returnUrl" GET-request within ViewIssue.jspa is not sanitizing  
user-input in a sufficient way allowing the Data URI scheme to be  
used in an attack.  
  
Proof of Concept URL:  
ViewIssue.jspa?id=[VALID_ID]&watch=true&returnUrl=data:text/html,<script>alert(0)</script>  
  
  
Non-Persistent Script Injection:  
The "returnUrl" GET-request within default.jspa is not sanitizing  
user-input in a sufficient way allowing the javascript URI scheme  
to be used in a conditional attack if the target user clicks the "Cancel"  
button on the target site which is affected by this vulnerability.  
  
Proof of Concept URL:  
AttachFile!default.jspa?id=[VALID_ID]&returnUrl=javascript:alert(0)';foo='  
  
  
Low Risk Information Disclosure:  
The "reportKey" GET-request within ConfigureReport.jspa is not  
sanitized properly for erroneous input and may cause an exception  
when a value passed to this function is invalid.  
  
This will disclose information such as:  
- Kernel information  
- MySQL version  
- Plugins enabled  
- Architecture  
- Username the application is running under.  
- Java Version  
- And more..  
  
Proof of Concept URL:  
ConfigureReport.jspa?selectedProjectId=[VALID_ID]&reportKey='invalid&Next=Next  
  
-:: Solution ::-  
There is currently no known solution at the moment. Jira is closed  
source and it is therefore not possible to provide a patch nor audit  
the code in order to find any further vulnerabilities easily.  
  
  
Disclosure Information:  
- Vulnerabilities found and researched: 23rd July 2010  
- Vulnerabilities disclosed at InterN0T 24th July  
- Bugtraq contacted (again) at: 28th July  
  
  
References:  
http://forum.intern0t.net/intern0t-advisories/2861-jira-enterprise-4-0-1-multiple-low-risk-vulnerabilities.html  
  
  
All of the best,  
MaXe  
`