Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

External redirect security issue

Sergey Golubev
Sergey Golubev September 2, 2020

Hello,

Security scanner OWASP Zap have found External redirect security issue:

Request:

GET https://jira.cyone.lv/secure/CreateSubTaskIssue!default.jspa?parentIssueId=%7B0%7D&returnUrl=243110798923184273.owasp.org HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0
Referer: https://jira.cyone.lv/secure/QuickSearch.jspa?searchString=ZAP
Cookie: atlassian.xsrf.token=B7DJ-EL5O-SYZ4-ORSR_2c8b63fe2a5c7545ad2923c72d951ea2e8dd9f3c_lout; JSESSIONID=3C7B594D1622F1EDC7FE356C47A2738D
Host: jira.cyone.lv

 

Response:

HTTP/1.1 302 302
Date: Wed, 02 Sep 2020 08:50:32 GMT
Server: Microsoft-IIS/8.5
Strict-Transport-Security: max-age=63072000
X-AREQUESTID: 710x51363x1
X-ASESSIONID: dlarbl
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-ASEN: SEN-15226039
Set-Cookie: atlassian.xsrf.token=B7DJ-EL5O-SYZ4-ORSR_3efe157ea8bca32f3346d23340dc4d227b088011_lout; Path=/; Secure
X-AUSERNAME: anonymous
Location: 243110798923184273.owasp.org
Content-Type: text/html;charset=UTF-8
Content-Length: 0

How to fix it?

Note:

Header Server: Microsoft-IIS/8.5 -- substitution using Apache mode_secure.

Really used Apache in reverse proxy mode. Back-end protocol: ajp://

Server version: Apache/2.4.46 (codeit)
Server built: Aug 7 2020 15:21:08

On CentOS Linux release 7.8.2003 (Core)

 

Answer
Watch
Like Be the first to like this
574 views

1 answer

0 votes
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 4, 2020

Hi Sergey,

Thanks for reporting this issue.  However it's not clear to me just yet if this is a problem specifically with Jira or potentially in regards to the reverse proxy configuration here.  I have created a support case so that we can better understand your environment and the scope of this. Please see https://getsupport.atlassian.com/servicedesk/customer/portal/20/GHS-199593

Please note that our support does not extend itself to proxy configuration, but for the sake of better identifying if this is in fact a security issue within Jira we would like to investigate this a bit further.

Andy

View More Comments
Sergey Golubev
Sergey Golubev September 7, 2020

Hi Andy,

Thank you.

IMHO, this issue does not linked with reverse proxy configuration.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
SERVER
VERSION
8.12
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security