Jira Enterprise 4.0.1 - Multiple Low Risk Vulnerabilities Jul 28 2010 08:06AM
advisories intern0t net
Jira - Multiple Low Risk Vulnerabilities

Versions Affected: 4.0.1 (other versions were not checked.)

JIRA provides issue tracking and project tracking for software
development teams to improve code quality and the speed of
development. (and so forth.)

External Links:

Credits: MaXe (no previous vulnerability information about these
bugs were found.)

-:: The Advisory ::-
Jira is prone to Cross Site Script Redirection (XSSR) also known as
Cross Site Redirection (CSR), Non-Persistent Script Injection and
Low Risk Information Disclosure.

Cross Site Script Redirection:
The "returnUrl" GET-request within ViewIssue.jspa is not sanitizing
user-input in a sufficient way allowing the Data URI scheme to be
used in an attack.

Proof of Concept URL:

Non-Persistent Script Injection:
The "returnUrl" GET-request within default.jspa is not sanitizing
user-input in a sufficient way allowing the javascript URI scheme
to be used in a conditional attack if the target user clicks the "Cancel"
button on the target site which is affected by this vulnerability.

Proof of Concept URL:

Low Risk Information Disclosure:
The "reportKey" GET-request within ConfigureReport.jspa is not
sanitized properly for erroneous input and may cause an exception
when a value passed to this function is invalid.

This will disclose information such as:
- Kernel information
- MySQL version
- Plugins enabled
- Architecture
- Username the application is running under.
- Java Version
- And more..

Proof of Concept URL:

-:: Solution ::-
There is currently no known solution at the moment. Jira is closed
source and it is therefore not possible to provide a patch nor audit
the code in order to find any further vulnerabilities easily.

Disclosure Information:
- Vulnerabilities found and researched: 23rd July 2010
- Vulnerabilities disclosed at InterN0T 24th July
- Bugtraq contacted (again) at: 28th July


All of the best,

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus