Jira - Multiple Low Risk Vulnerabilities


Versions Affected: 4.0.1 (other versions were not checked.)

Info:
JIRA provides issue tracking and project tracking for software
development teams to improve code quality and the speed of
development. (and so forth.)

External Links:
http://www.atlassian.com/software/jira/

Credits: MaXe (no previous vulnerability information about these
bugs were found.)


-:: The Advisory ::-
Jira is prone to Cross Site Script Redirection (XSSR) also known as
Cross Site Redirection (CSR), Non-Persistent Script Injection and
Low Risk Information Disclosure.

Cross Site Script Redirection:
The "returnUrl" GET-request within ViewIssue.jspa is not sanitizing
user-input in a sufficient way allowing the Data URI scheme to be
used in an attack.

Proof of Concept URL:
ViewIssue.jspa?id=[VALID_ID]&watch=true&returnUrl=data:text/html,<script>alert(0)</script>


Non-Persistent Script Injection:
The "returnUrl" GET-request within default.jspa is not sanitizing
user-input in a sufficient way allowing the javascript URI scheme
to be used in a conditional attack if the target user clicks the "Cancel"
button on the target site which is affected by this vulnerability.

Proof of Concept URL:
AttachFile!default.jspa?id=[VALID_ID]&returnUrl=javascript:alert(0)';foo='


Low Risk Information Disclosure:
The "reportKey" GET-request within ConfigureReport.jspa is not
sanitized properly for erroneous input and may cause an exception
when a value passed to this function is invalid.

This will disclose information such as:
- Kernel information
- MySQL version
- Plugins enabled
- Architecture
- Username the application is running under.
- Java Version
- And more..

Proof of Concept URL:
ConfigureReport.jspa?selectedProjectId=[VALID_ID]&reportKey='invalid&Next=Next

-:: Solution ::-
There is currently no known solution at the moment. Jira is closed
source and it is therefore not possible to provide a patch nor audit
the code in order to find any further vulnerabilities easily.


Disclosure Information:
- Vulnerabilities found and researched: 23rd July 2010
- Vulnerabilities disclosed at InterN0T 24th July
- Bugtraq contacted (again) at: 28th July


References:
http://forum.intern0t.net/intern0t-advisories/2861-jira-enterprise-4-0-1-multiple-low-risk-vulnerabilities.html


All of the best,
MaXe