02/Jul/2015 3:27 AM I found a XSS flaw on confluence, https://jira.atlassian.com/browse/CONF-38127
In confluence comment module, User can upload and embed the swf file in their comment. Confluence is using an
atl_token parameter on GET HTTP request, if the attacker sends the link of .SWF file( the value of src on embed tag) to his victim the malicious SWF file won’t execute on the victim’s browser. Every user has atl_token. This is a CSRF protection and XSS protection too. We can bypass this protection by using
this.loaderInfo.parameters in malicious .SWF.
this.loaderInfo.parameters.parameter_name extracts the value of your target parameter, in this case, it
is atl_token. The attacker must also insert a
<a> tag in malicious SWF file then append the extracted atl_token to
<a> tag , so if the victim clicks the link(
<a>) in our embed SWF file, the .SWF file will be executed in the victim’s browser.