|
In this advisory: XSS Vulnerability in Dashboard ActionSeverityAtlassian rates this vulnerability as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a security flaw which may affect Confluence instances in a public environment. This flaw is an XSS (cross-site scripting) vulnerability in a Confluence action, which potentially allows a malicious user (hacker) to embed their own JavaScript into a Confluence page.
To fix the vulnerabilities described below, Atlassian recommends that you take one of the following steps:
You can read more about XSS attacks at cgisecurity, CERT and other places on the web. Risk MitigationIf you judge it necessary, you can disable public access (e.g. anonymous access and public signon) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups only. VulnerabilityA hacker can inject their own JavaScript into the following Confluence action: http://confluence-location/dashboard.action?spacesSelectedTab
The above Confluence action is used to determine which spaces are listed on a user's Dashboard. For example, the following URL requests a list of team spaces only: http://confluence-location/dashboard.action?spacesSelectedTab=team
The action is invoked when a user selects one of the 'Spaces' tabs on the Dashboard, such as the 'Team' tab. It can also be invoked by simply entering the URL into the browser address bar. FixThese issues have been fixed in Confluence 2.7.1 (see the release notes), which you can download from the download centre. A patch is available for Confluence 2.6.2 and Confluence 2.7.0. For more information, please see CONF-10289. Our thanks to Mary Johnson, who reported this issue to Atlassian. We fully support the reporting of vulnerabilities and we appreciate her working with us towards identifying and solving the problem. Please let us know what you think of the format of this security advisory and the information we have provided. |
Comments (2)
Jan 25, 2008
Brian M. Thomas says:
Format's fine, but I don't find it easy to identify whether my version of Conflu...Format's fine, but I don't find it easy to identify whether my version of Confluence is vulnerable or patchable. If the JIRA issue clarifies that, as they usually do, that's acceptable, but it would be helpful if the advisory said so explicitly, and even more so if there were a regular chart of applicability here on the advisory so that the JIRA page need not be consulted if patching were unnecessary.
Also, if the page was created from a template as I'm sure it did and as I would have done, the text of the panel crediting the original reporter should probably highlight the need to heed the gender of the reporter(s) so as to avoid such a faux pas as:
Our thanks to Mary Johnson, who reported this issue to Atlassian. We fully support the reporting of vulnerabilities and we appreciate his working with us towards identifying and solving the problem.
Jan 28, 2008
Sarah Maddox says:
Hallo Brian Thank you for two good points. We've changed 'his' to 'her' in the ...Hallo Brian
Thank you for two good points. We've changed 'his' to 'her' in the tribute. And we'll be sure to advise on the Confluence versions affected in future security advisories (on the assumption that there'll be some future advisories
).
Cheers — Sarah
Add Comment