====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN364
____________________________________________________________________

DATE                : 14/09/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Atlassian Confluence versions
                             prior to 4.1.9.

======================================================================
https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-09-11
______________________________________________________________________

Confluence Security Advisory 2012-09-11

    Added by Andrew Lui [Atlassian Technical Writer], last edited by
Vitaly Osipov [Atlassian] on Sep 12, 2012

This advisory discloses security vulnerability that we have found and
fixed in a recent version of Confluence.

    Customers who have downloaded and installed Confluence should
upgrade their existing Confluence installations to fix this
vulnerability.
    Enterprise Hosted customers need to request an upgrade by raising a
support request. See Enterprise Hosting Upgrade Time Windows for
instructions.
    Atlassian OnDemand and JIRA Studio customers are not affected by
any of the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerability
listed in this advisory has been discovered by Atlassian, unless noted
otherwise. The reporter may also have requested that we do not credit
them.

If you have questions or concerns regarding this advisory, please raise
a support request at http://support.atlassian.com/.


In this advisory:

    XSS Vulnerability


XSS Vulnerability

Severity

Atlassian rates the severity level of this vulnerability as High,
according to the scale published in Severity Levels for Security
Issues. The scale allows us to rank the severity as critical, high,
medium or low.
This is an independent assessment and you should evaluate its
applicability to your own IT environment. This vulnerability is not of
Critical severity.


Description

We have identified and fixed a reflected, or non-persistent, cross-site
scripting (XSS) vulnerability that affects Confluence instances,
including publicly available instances (that is, Internet-facing
servers). XSS vulnerabilities allow an attacker to embed their own
JavaScript into a Confluence page when it is viewed by the victim's
browser. An attacker does not need an account on Confluence server. A
successful attack does not necessarily modify any server content.

We recommend you to read about XSS attacks at Wikipedia, The Web
Application Security Consortium and other places on the web before
considering specific mitigations for this vulnerability.

This vulnerability affects all versions of Confluence earlier than
4.1.8. It has been fixed in Confluence 4.1.9 and later. This issue can
be tracked here:
CONF-26366 - Cross Site Scripting Vulnerability - RESOLVED


Risk Mitigation

We strongly recommend upgrading your Confluence installation to fix
this vulnerability. Please see the 'Fix' section below.

One possible workaround is to block requests to certain URLs before
they reach Confluence. HTTP GET requests to any Confluence URLs where
the file name is ".vm" should be blocked. For example, if you use
Apache web server to front Confluence and your Confluence is under
/wiki path, then you can set up the following rules to block XSS
attempts:

<LocationMatch ^/wiki/.*\.vm\?.* >
   Deny from all
</LocationMatch>

<LocationMatch ^/wiki/.*\.vm$ >
   Deny from all
</LocationMatch>

We recommend that you read the links above about how XSS attacks work
before applying any workarounds. This code is only an example.


Fix

Upgrade

The vulnerability and fix version are described in the 'Description'
section above.

We recommend that you upgrade to Confluence 4.1.9 or later, if
possible. For a full description of the latest version of Confluence,
see the release notes.
You can download the latest version of Confluence from the download
centre.

Patches are not available for this vulnerability for any version of
Confluence.
Please see our Security Patch Policy for further information.

Our thanks to D. Niedermaier of Intrest SEC who reported the XSS
vulnerability described in this advisory. We fully support the
reporting of vulnerabilities  and we appreciate it when people work
with us to identify and solve the problem.

======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================