lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 28 Jul 2010 02:06:47 -0600
From: advisories@...ern0t.net
To: bugtraq@...urityfocus.com
Subject: Jira Enterprise 4.0.1 - Multiple Low Risk Vulnerabilities

 Jira - Multiple Low Risk Vulnerabilities


Versions Affected: 4.0.1 (other versions were not checked.)

Info:
JIRA provides issue tracking and project tracking for software
development teams to improve code quality and the speed of
development. (and so forth.)

External Links:
http://www.atlassian.com/software/jira/

Credits: MaXe (no previous vulnerability information about these
bugs were found.)


-:: The Advisory ::-
Jira is prone to Cross Site Script Redirection (XSSR) also known as
Cross Site Redirection (CSR), Non-Persistent Script Injection and
Low Risk Information Disclosure.

Cross Site Script Redirection:
The "returnUrl" GET-request within ViewIssue.jspa is not sanitizing
user-input in a sufficient way allowing the Data URI scheme to be
used in an attack.

Proof of Concept URL:
ViewIssue.jspa?id=[VALID_ID]&watch=true&returnUrl=data:text/html,<script>alert(0)</script>


Non-Persistent Script Injection:
The "returnUrl" GET-request within default.jspa is not sanitizing
user-input in a sufficient way allowing the javascript URI scheme
to be used in a conditional attack if the target user clicks the "Cancel"
button on the target site which is affected by this vulnerability.

Proof of Concept URL:
AttachFile!default.jspa?id=[VALID_ID]&returnUrl=javascript:alert(0)';foo='


Low Risk Information Disclosure:
The "reportKey" GET-request within ConfigureReport.jspa is not
sanitized properly for erroneous input and may cause an exception
when a value passed to this function is invalid.

This will disclose information such as:
- Kernel information
- MySQL version
- Plugins enabled
- Architecture
- Username the application is running under.
- Java Version
- And more..

Proof of Concept URL:
ConfigureReport.jspa?selectedProjectId=[VALID_ID]&reportKey='invalid&Next=Next

-:: Solution ::-
There is currently no known solution at the moment. Jira is closed
source and it is therefore not possible to provide a patch nor audit
the code in order to find any further vulnerabilities easily.


Disclosure Information:
- Vulnerabilities found and researched: 23rd July 2010
- Vulnerabilities disclosed at InterN0T 24th July
- Bugtraq contacted (again) at: 28th July


References:
http://forum.intern0t.net/intern0t-advisories/2861-jira-enterprise-4-0-1-multiple-low-risk-vulnerabilities.html


All of the best,
MaXe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ