-------------------------------
INTREST SEC | Security Advisory
-------------------------------


Product:               Confluence Wiki
Vendor:                Atlassian (www.atlassian.com)
Vulnerability Type:    Cross Site Scripting (XSS)
Risk Level:            High (classified by vendor)
Discovered by:         INTREST SEC - NID
Public Diclosure:      2012/09/12
Vendor Notification:   2012/02/07
Tested Versions:       3.5.9, 4.0.3, 4.1.4
CVSS Score:            7.5


## Details

Atlassian Confluence is described as "Collaboration tool for teams to
create, share, and discuss rich content - docs, files, ideas, specs,
diagrams, mockups, anything". (www.atlassian.com)


## Description

A security vulnerability within Atlassian Confluence Wiki has been
identified. It is remotely exploitable and based on the CWE-79 family
Cross-Site-Scripting (XSS). Confluence allows input passed in the URL to
be injected into the HTML structure of an error-page in an unsafe and
unsanitized way. Therefore it is possible to inject nonpersistent
JavasScript code. This vulnerability does not require authentication of
the victim and can easily be exploited by manipulating the GET request.


## Proof of Concept

The following URL triggers the XSS by including <IFRAME
SRC="javascript:alert('XSS')"> into the error page:

http://localhost:8090/pages/includes/
status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%28%27XSS%27%29%22%3E.vm


## Solution

According to the vendor, upgrade to Confluence 4.1.9 or later.


## References

[1] Atlassian Security Advisory
https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-09-11


## Time Table

[2012/02/07] Informed vendor about the vulnerability via ticketing system
[2012/02/08] Informed vendor that Atlassian JIRA (at least 4.4.3 and
             4.4.4) is also infected
[2012/02/09] Vendor created a ticket for JIRA vulnerability
[2012/02/09] Vendor response: JIRA problem already known. "The fix
             should be available in JIRA 5.0 or 5.0.1"
[2012/03/21] Vendor tagged ticket as fixed.
[2012/04/02] Asked vendor about things like patch release date,
             requesting a CVE number, releasing an advisory
[2012/04/03] Vendor response: No dedicated Patch; Version 4.1.9 has been
             released; no CVE will requested by vendor
[2012/08/27] Vendor defined advisory release date to 2012/09/11
[2012/08/27] Informed vendor about additional advisory release through
             INTREST SEC
[2012/09/11] Vendor released advisory
[2012/09/13] INTREST SEC released advisory


--

INTREST SEC
Intelligent Information Security
-----------------------------------------------------------------------
Kommunalstrasse 15 - A-4020 Linz - Austria
Tel. +43 (0) 732 / 341 060
Fax. +43 (0) 732 / 341 060 - 20
researchlab [at] intrest.at | www.intrest-sec.com
-----------------------------------------------------------------------