Confluence Security Advisory 2005-12-05

A flaw has been found in Confluence by which attackers to inject malicious HTML code into Confluence. Atlassian STRONGLY recommends that all Confluence customers apply the fix described below immediately, or upgrade to Confluence 2.0.2

Vulnerability

By entering HTML code into the Confluence search input fields, attackers can cause arbitrary scripting code to be executed by the user's browser in the security context of the Confluence instance.

This flaw affects all versions of Confluence between 1.4-DR releases and 2.0.1.

(Atlassian was not informed of the problem before it was published by third-party security researchers. You can read the third-party security advisory here: http://secunia.com/advisories/17833/. The vulnerability was originally reported here.)

Fix

This vulnerability is fixed in Confluence 2.0.2 and later. Customers who do not wish to migrate to 2.0.2 can fix this bug using the procedure below:

Edit the confluence/decorators/components/searchresults.vmd

Replace the following reference (around line 48):

$action.getText("search.result", [$start, $end, $total, $queryString])

with

$action.getText("search.result", [$start, $end, $total, $generalUtil.escapeXml($queryString)]).

Edit the confluence/search/searchsite-results.vm.

Replace the following reference (around line 11):

Searched for <b>$action.searchQuery.queryString</b>

with

Searched for <b>$generalUtil.escapeXml($action.searchQuery.queryString)</b>

Restart Confluence.

Alternatively, you can download the patched source files from CONF-4825. If you are patching a 2.0.x installation, then use the files with the .2.0 suffix. If you are patching a 1.4.x installation, then use the files with the .1.4 suffix.

Confluence Security Advisory 2005-12-05

Vulnerability

Fix

Labels