SharePoint Connector Security Advisory 2010-01-18 (v 1.3)
In this advisory:
XSS Vulnerability in the SharePoint List Macro
Severity
Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a security vulnerability which may affect Confluence instances in a public environment. This flaw is a cross-site scripting (XSS) vulnerability that could occur when using the SharePoint List macro on a page or blog post.
- The attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to the attacker's own web server.
- The attacker's text and script might be displayed to other people viewing the Confluence page. This is potentially damaging to your company's reputation.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web.
Risk Mitigation
We recommend that you upgrade your Confluence SharePoint Connector to fix this vulnerability. Please see the 'Fix' section below.
Alternatively, if you are not in a position to undertake this immediately and you judge it necessary, you can disable public access to your SharePoint site until you have applied the necessary upgrade. For even tighter control, you could restrict access to trusted groups.
Vulnerability
An attacker can execute their own rogue JavaScript code via the SharePoint List macro. All previous versions of the SharePoint Connector are affected by this vulnerability. The fix is available in Confluence SharePoint Connector 1.1. For more information, please refer to CSI-501.
Fix
This issue has been fixed in Confluence SharePoint Connector 1.1 (see the release notes). Please refer to the SharePoint Connector 1.1 Upgrade Notes for further information on upgrading the Confluence SharePoint Connector.
Note that the SharePoint Connector 1.1 requires Confluence 2.8.0 or later. If you are using Confluence 2.7.4 or earlier and are unable to upgrade, please contact our support team for assistance in addressing the vulnerability.