[INTREST SEC] Atlassian Confluence Wiki XSS Vulnerability

2012-10-22T00:00:00
ID SECURITYVULNS:DOC:28672
Type securityvulns
Reporter Securityvulns
Modified 2012-10-22T00:00:00

Description


INTREST SEC | Security Advisory

Product: Confluence Wiki Vendor: Atlassian (www.atlassian.com) Vulnerability Type: Cross Site Scripting (XSS) Risk Level: High (classified by vendor) Discovered by: INTREST SEC - NID Public Diclosure: 2012/09/12 Vendor Notification: 2012/02/07 Tested Versions: 3.5.9, 4.0.3, 4.1.4 CVSS Score: 7.5

Details

Atlassian Confluence is described as "Collaboration tool for teams to create, share, and discuss rich content - docs, files, ideas, specs, diagrams, mockups, anything". (www.atlassian.com)

Description

A security vulnerability within Atlassian Confluence Wiki has been identified. It is remotely exploitable and based on the CWE-79 family Cross-Site-Scripting (XSS). Confluence allows input passed in the URL to be injected into the HTML structure of an error-page in an unsafe and unsanitized way. Therefore it is possible to inject nonpersistent JavasScript code. This vulnerability does not require authentication of the victim and can easily be exploited by manipulating the GET request.

Proof of Concept

The following URL triggers the XSS by including <IFRAME SRC="javascript:alert('XSS')"> into the error page:

http://localhost:8090/pages/includes/ status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%28%27XSS%27%29%22%3E.vm

Solution

According to the vendor, upgrade to Confluence 4.1.9 or later.

References

[1] Atlassian Security Advisory https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-09-11

Time Table

[2012/02/07] Informed vendor about the vulnerability via ticketing system [2012/02/08] Informed vendor that Atlassian JIRA (at least 4.4.3 and 4.4.4) is also infected [2012/02/09] Vendor created a ticket for JIRA vulnerability [2012/02/09] Vendor response: JIRA problem already known. "The fix should be available in JIRA 5.0 or 5.0.1" [2012/03/21] Vendor tagged ticket as fixed. [2012/04/02] Asked vendor about things like patch release date, requesting a CVE number, releasing an advisory [2012/04/03] Vendor response: No dedicated Patch; Version 4.1.9 has been released; no CVE will requested by vendor [2012/08/27] Vendor defined advisory release date to 2012/09/11 [2012/08/27] Informed vendor about additional advisory release through INTREST SEC [2012/09/11] Vendor released advisory [2012/09/13] INTREST SEC released advisory

--

INTREST SEC Intelligent Information Security


Kommunalstrasse 15 - A-4020 Linz - Austria Tel. +43 (0) 732 / 341 060 Fax. +43 (0) 732 / 341 060 - 20 researchlab [at] intrest.at | www.intrest-sec.com