what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Atlassian Jira 7.1.7 Cross Site Scripting

Atlassian Jira 7.1.7 Cross Site Scripting
Posted Jan 17, 2017
Authored by Roberto Soares

Tempest Security Intelligence Advisory ADV-2/2016 - Atlassian Jira version 7.1.7 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2016-6285
SHA-256 | 3dd9c56b41ffd99414961adca6598dde55319f70e320fedb4f66bd617a6133bd

Atlassian Jira 7.1.7 Cross Site Scripting

Change Mirror Download
=====[ Tempest Security Intelligence -ADV-2/2016 CVE-2016-6285 ]==========

Reflected Cross-Site Scripting (XSS) in Atlassian Jira Software
---------------------------------------------------------------

Author(s):

- Roberto Soares
- roberto.soares () tempest.com.br

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents ]================================================

1. Overview
2. Detailed description
3. Affected versions & Solutions
4. Timeline of disclosure
5. Thanks & Acknowledgements
6. References

=====[ 1. Overview ]=======================================================

* System affected : Atlassian JIRA Software
* Model : JIRA Software 7.1.7 (other version may be affected)
* Software Version : 7.1.7
Other versions or models may also be affected.
* Impact : Cross-site scripting (XSS) is a code injection
attack that allows an attacker to execute malicious
JavaScript in another user's browser.
* Asset description : JIRA is a proprietary issue tracking product,
developed by Atalassian [1]. It provides bug
tracking, issue tracking and projec management
functions to over 25.000 customers in 122 conuntries
around the globe.

=====[ 2. Detailed description ]===========================================

During a code review analysis recently undergone by JIRA we were able to
verify the existence of a reflected Cross-Site Scripting (XSS)
vulnerability.
In order to perform this analysis we made use of Linux's grep tool. As a
means to find possible stretches of vulnerable code an example of grep's
syntax is shown below:

$ grep -ni 'request.getServerName()' * -R

This, in turn, returned a suspicious piece of code in /src/main/webapp/
includes/decorators/global-translations.jsp, line 18:

...snip...
17 <input type="hidden" title="ajaxUnauthorised" value="<ww:text name="
'common.forms.ajax.unauthorised.alert'"/>">
18 <input type="hidden" title="baseURL" value="<%=request.getScheme() +
"://" +request.getServerName() + ':' + request.getServerPort() +
request.getContextPath()%>">
19 <input type="hidden" title="ajaxCommsError" value="<ww:text
name="'common.forms.ajax.commserror'"/>">
...snip...

This vulnerability happens because a string is created on line 18 that
uses an non-validated value from the request, in this case, the
"request.getServerName()" method, that returns the host name of the
server to which the request was sent.

This message eventually is part of the page that is sent back to the user.
If a malicious value is sent in the request, it may be possible to perform
a cross-site scripting attack. In this case, in order to mitigate this
problem, we recommend not supplying the value as part of the message sent
back to the user. However, if the value must be part of the message, then
we recommend ensuring proper validation and leveraging appropriate output
enconding.

The reflected XSS is caused as a response of the following request:

GET /includes/decorators/global-translations.jsp HTTP/1.1
Host: "><script>alert(/xss/)</script>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Cookie: JSESSIONID={redacted}
Connection: close
Cache-Control: max-age=0

Steps to reproduce:

* Tamper with a GET request to http://jira_instance/includes/decorators/
global-translations.jsp with the Host header set to some XSS payload
(e.g. "><script>alert(/xss/)</script>);

* The offending lines in code pick this payload and browser renders it
(observe an alert with text "xss").

=====[ 3. Affected versions & Solutions ]==================================

This test was performed against Atlassian Jira Software version 7.1.7.

According to vendor's response, the vulnerability is addressed and the fix
is part of the 7.2.2 Server release.

=====[ 4. Timeline of disclosure ]=========================================

- Jul/13/2016 : Vendor contacted by Atlassian Security Service Desk Portal
(https://securitysd.atlassian.net/servicedesk/customer/
portals);
- Jul/15/2016 : Vendor first responded to the recognition of vulnerability;
- Jul/16/2016 : Vendor suggested the creation of an account on the portal
https://jira.atlassian.com/;
- Jul/17/2016 : Account Created.
- Sep/27/2016 : Vendor released the fix for the vulnerability in version
7.2.2 Server.

=====[ 5. Thanks & Acknowledgements ]======================================

- Tempest Security Intelligence / Tempest's Pentest Team [2]
- Joaquim Brasil - joaquim () tempest.com.br

=====[ 6. References ]=====================================================

[1] https://www.atlassian.com
[2] http://www.tempest.com.br
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    38 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close