=====[ Tempest Security Intelligence -ADV-2/2016 CVE-2016-6285 ]==========
 
  Reflected Cross-Site Scripting (XSS) in Atlassian Jira Software
  ---------------------------------------------------------------
  
  Author(s):

  - Roberto Soares
  - roberto.soares () tempest.com.br

  Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents ]================================================
  
  1. Overview
  2. Detailed description    
  3. Affected versions & Solutions    
  4. Timeline of disclosure    
  5. Thanks & Acknowledgements  
  6. References

=====[ 1. Overview ]=======================================================
 
 * System affected   : Atlassian JIRA Software
 * Model             : JIRA Software 7.1.7 (other version may be affected)
 * Software Version  : 7.1.7
                       Other versions or models may also be affected.
 * Impact            : Cross-site scripting (XSS) is a code injection 
                       attack that allows an attacker to execute malicious
                       JavaScript in another user's browser.
 * Asset description : JIRA is a proprietary issue tracking product,
                       developed by Atalassian [1]. It provides bug
                       tracking, issue tracking and projec management
                       functions to over 25.000 customers in 122 conuntries
                       around the globe.

=====[ 2. Detailed description ]===========================================

During a code review analysis recently undergone by JIRA we were able to
verify the existence of a reflected Cross-Site Scripting (XSS) 
vulnerability.
In order to perform this analysis we made use of Linux's grep tool. As a
means to find possible stretches of vulnerable code an example of grep's
syntax is shown below:

  $ grep -ni 'request.getServerName()' * -R

This, in turn, returned a suspicious piece of code in /src/main/webapp/
includes/decorators/global-translations.jsp, line 18:

...snip...
  17 <input type="hidden" title="ajaxUnauthorised" value="<ww:text name="
     'common.forms.ajax.unauthorised.alert'"/>">
  18 <input type="hidden" title="baseURL" value="<%=request.getScheme() + 
     "://" +request.getServerName() + ':' + request.getServerPort() + 
   request.getContextPath()%>">
  19 <input type="hidden" title="ajaxCommsError" value="<ww:text 
     name="'common.forms.ajax.commserror'"/>"> 
...snip...

This vulnerability happens because a string is created on line 18 that
uses an non-validated value from the request, in this case, the 
"request.getServerName()" method, that returns the host name of the
server to which the request was sent.

This message eventually is part of the page that is sent back to the user.
If a malicious value is sent in the request, it may be possible to perform
a cross-site scripting attack. In this case, in order to mitigate this
problem, we recommend not supplying the value as part of the message sent
back to the user. However, if the value must be part of the message, then
we recommend ensuring proper validation and leveraging appropriate output
enconding.

The reflected XSS is caused as a response of the following request:

GET /includes/decorators/global-translations.jsp HTTP/1.1
Host: "><script>alert(/xss/)</script>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Cookie: JSESSIONID={redacted}
Connection: close
Cache-Control: max-age=0

Steps to reproduce:

* Tamper with a GET request to http://jira_instance/includes/decorators/
  global-translations.jsp with the Host header set to some XSS payload 
  (e.g. "><script>alert(/xss/)</script>);

* The offending lines in code pick this payload and browser renders it 
  (observe an alert with text "xss").

=====[ 3. Affected versions & Solutions ]==================================

This test was performed against Atlassian Jira Software version 7.1.7.

According to vendor's response, the vulnerability is addressed and the fix
is part of the 7.2.2 Server release.
 
=====[ 4. Timeline of disclosure ]=========================================

- Jul/13/2016 : Vendor contacted by Atlassian Security Service Desk Portal
                (https://securitysd.atlassian.net/servicedesk/customer/
                portals);
- Jul/15/2016 : Vendor first responded to the recognition of vulnerability;
- Jul/16/2016 : Vendor suggested the creation of an account on the portal
                https://jira.atlassian.com/;
- Jul/17/2016 : Account Created.
- Sep/27/2016 : Vendor released the fix for the vulnerability in version 
                7.2.2 Server.

=====[ 5. Thanks & Acknowledgements ]======================================
 
  - Tempest Security Intelligence / Tempest's Pentest Team [2]
  - Joaquim Brasil - joaquim () tempest.com.br
 
=====[ 6. References ]=====================================================

  [1] https://www.atlassian.com
  [2] http://www.tempest.com.br