This documentation relates to the latest version of Confluence.
If you are using an earlier version, please go to the documentation home page and select the relevant version.

Confluence Security Advisory 2007-11-27

Added by Sarah Maddox, last edited by Sarah Maddox on Nov 27, 2007  (view change)
All Versions
Click for all versions
Confluence 2.9 Documentation

Index

In this advisory:

XSS Type 2 Vulnerabilities in Macros and Wiki Markup

Severity

Atlassian rates this vulnerability as HIGH, according to the scale published by the SANS Institute. The scale allows us to rank a vulnerability as critical, high, moderate or low, as described in the SANS vulnerability analysis.

Risk Assessment

We have identified and fixed some security flaws which may affect Confluence instances in a public environment. These flaws are XSS (cross-site scripting) vulnerabilities in some of Confluence's macros and Wiki Markup, which potentially allow a malicious user (hacker) to insert their own HTML tags or script into a Confluence page.

  • The hacker might take advantage of this flaw to steal other users' session cookies or other credentials, by sending the credentials back to the hacker's own web server.
  • The hacker's text and script might be displayed to other people viewing the Confluence page. This is potentially damaging to your company's reputation.

Atlassian recommends that you upgrade to Confluence 2.6.2 to fix the vulnerabilities described below.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Risk Mitigation

If you judge it necessary, you can disable public access (e.g. anonymous access and public signon) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups only.

Vulnerability

The following macros are affected:

  • {color}
  • {panel}
  • {section}
  • {column}
  • {code}

The Wiki Markup for inserting images (e.g. !myImage.png!) is also vulnerable to XSS exploitation.

Fix

The fix is to escape all user input, so that no user input is interpreted as HTML or CSS. In some cases we also perform stricter validation on the range of values a user can supply in an attribute.

These issues have been fixed in Confluence 2.6.2. For more information, please see CONF-9350.

Our thanks to Igor Minar, who reported this issue to Atlassian. We fully support the reporting of vulnerabilities and we appreciate his working with us towards identifying and solving the problem.

Please let us know what you think of the format of this security advisory and the information we have provided.

Labels:

Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.

Comments (2)

 

  1. Nov 28, 2007

    Matthew Donadio says:

    Can you clarify something please? If an earlier instance is configured so that A...

    Can you clarify something please? If an earlier instance is configured so that Anonymous users only have View permissions and public-signon is disabled, does the vulnerability still exist (assuming a trusted user base)? Thanks.

    1. Nov 28, 2007

      Sarah Maddox says:

      Hallo Matthew Assuming a trusted, nonanonymous user base the risk is probably l...

      Hallo Matthew

      Assuming a trusted, non-anonymous user base the risk is probably lower, because anyone exploiting the vulnerability would have to do so under their own authority and it would be obvious who the attacker was.

      Note that the vulnerability extends to comments, as well as updates to pages. So if your anonymous users have permission to add comments, they could potentially exploit an XSS flaw.

      Cheers – Sarah

Add Comment