A flaw has been found in Confluence by which attackers to inject malicious HTML code into Confluence. Atlassian STRONGLY recommends that all Confluence customers apply the fix described below immediately, or upgrade to Confluence 2.0.2
Vulnerability
By entering HTML code into the Confluence search input fields, attackers can cause arbitrary scripting code to be executed by the user's browser in the security context of the Confluence instance.
This flaw affects all versions of Confluence between 1.4-DR releases and 2.0.1.
(Atlassian was not informed of the problem before it was published by third-party security researchers. You can read the third-party security advisory here: http://secunia.com/advisories/17833/. The vulnerability was originally reported here.)
Fix
This vulnerability is fixed in Confluence 2.0.2 and later. Customers who do not wish to migrate to 2.0.2 can fix this bug using the procedure below:
- Edit the confluence/decorators/components/searchresults.vmd
- Replace the following reference (around line 48):
$action.getText("search.result", [$start, $end, $total, $queryString])
with
$action.getText("search.result", [$start, $end, $total, $generalUtil.escapeXml($queryString)]).
- Edit the confluence/search/searchsite-results.vm.
- Replace the following reference (around line 11):
Searched for <b>$action.searchQuery.queryString</b>
with
Searched for <b>$generalUtil.escapeXml($action.searchQuery.queryString)</b>
- Restart Confluence.
Alternatively, you can download the patched source files from [CONF-4825@JIRA]. If you are patching a 2.0.x installation, then use the files with the .2.0 suffix. If you are patching a 1.4.x installation, then use the files with the .1.4 suffix.
