security vulnerability

Hii,

we have using 5.2.8 version of jira. we have a problem, if we want to create a issue that description field has below content, we can not create. becouse our security tool blocked the creating request hat is sql injection or http attack problem for the security tool. if we want to add comment to same content in any issue, we have not any problem.

when other applications in our company have same problem, the applicaiton`s owner can solve seting parameter(s) or developing.

can we solve the problem ?

having content of the problem;

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svc_init SYSTEM "MLP_SVC_INIT_320.DTD">
<svc_init ver="3.2.0">
<hdr ver="3.2.0">
<client>
<id>0</id>
<requestmode type="PASSIVE"/>
</client>
<subclient last_client="YES">
<id>3</id>
<pwd>subclient_secret</pwd>
<serviceid>4</serviceid>
</subclient>
</hdr>
<slir ver="3.2.0" res_type="SYNC">
<msids>
<msid type="MSISDN" enc="ASC">xxxxxxx</msid>
</msids>
<eqop>
<resp_timer>10</resp_timer>
<hor_acc>3000</hor_acc>
</eqop>
<loc_type type="LAST"/>
</slir>
</svc_init>

14 answers

WAF's are notoriously complex technology and do misfire sometimes. They require constant tuning and updating. Please post more details when you get them, until then this does not look like a JIRA issue.

P.S. Perhaps it is not wise to post your customer's phone number (MSISDN) on a public forum. Your XML snippet also includes a password, unless it is the redacted version.

0 votes

You should get the people that mange the security thing to whitelist jira if it's internal.

we have no problem in internal, becouse people do not reach to jira on not WAF(Web Application Firewall).if people want to reach to jira on internet(have WAF on network), can not reach some request.

0 votes

That is still your security software interfering with the requests.

If Jira is working internally, then that is firm proof that the security software needs configuring to allow external access properly. It's nothing to do with Jira and Jira can't be expected to do anything to fix this - it's the WAF that needs configuring/fixing.

now, our WAF configration parameter of security is low level. on the way, we get close the waf security :( , do you think why post open source content on the request ?

0 votes

I'm sorry, I don't understand that. I understand that you're telling us that the WAF is set at low level security. I do not understand the "post open source content on the request" part.

However, I really do not think Jira, or even what you are posting is a problem.

The situation appears to be that your WAF is blocking access to parts of Jira. Jira works fine when not accessed through the WAF. Therefore, the WAF is a problem and needs to be fixed.

it is mean that; if our another web applications post request with specifice characters(like main content),

the requests can pass on WAF. becouse the applicaiton request content masked and the waf don not hold as sql injectin or http script attack.

WAF admins say that our some jira request content critical character for security(sql injection or http script attack). why does jira have this problem ?

Sorry to interrupt, but those guys before me just answered you that the problem is in your WAF, not JIRA. If your WAF is stupid and overreacts (think about a boss that doesn't let you explain the problem, but cries out immediately) it is the WAF problem, period.

"why does jira have this problem?" Well it doesn't

"applicaiton request content masked" - well, that may be custom stuff, how the h**l should we know ?

0 votes

I have to agree with Radu here - it is irrelevant what your WAF administrators are telling you.

They need to EXPLAIN what content is "wrong" and why.

Then you need to explain to them why you are posting it and why it is safe.

Then you need to get them to change the settings on the WAF to accept it as valid.

I cannot emphasise this any more: the problem is entirely with your WAF.

Ok, there is a chance that your WAF is picking up some bug in Jira that Atlassian and all the other users have missed (or haven't notified us about yet). But you need your WAF to explain what they think the problem is.

0 votes

Good. I can't see any way of fixing this without them telling you what your WAF is blocking and why it thinks it should block it. Once you know that, then you should be able to tell them what they've got wrong...

a few days ago WAF admins said that, only jira some request`s content (like sql injection or http script attack) were blocked by WAF, deafult setting is same all web applications, setting down, low security but it is going on blocking.

i will ask, and get some logs, learn all details on first working days, sharing wtih you turn back

regards

huseyin

Hi All,

i have finished working with WAF admin.

working results; WAF is blocking the content or requesting that is like cross-site script attack, you can see below WAF logs

0 votes

Ok, then your WAF has a rule that is wrong.

In both cases, it's saying "cross-site script check" failed. You'll need to get the WAF administrators to explain that rule and then get them to fix it so that it does not get triggered by Jira. The reason I say that is that there are no cross-site attack vectors in either of those posts, so the "default webapp policy" in your WAF is throwing false positives. At a guess, I'd say it's spotting the ampersand-gt, which is perfectly valid for entering data

our WAf admin have solved the issue by your assistance. thank you for all.

best regards

huseyin

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Tuesday in Featured Groups

Tuesday tips & tricks: What is the Atlassian Community?

It's officially Tuesday, which means it's officially time for another tip to help you better navigate this space we call the Atlassian Community. 😄 I got a great question from community member, Sa...

132 views 6 8
View post

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you