Jira – Open redirect vulnerability using os_destination

The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.

Attack Scenario

Parameter-based redirection vulnerabilities allow an attacker to craft a JIRA URL in such a way that a user clicking on this URL will be redirected to a different web site.
This feature cause an attacker to launch a phishing attack. Because many users only look at the domain name of a link before clicking on it and they will think they are going to a regular Jira page. But they are being redirected to a malicious or an external site.

JIRA site keep track of external links followed is to redirect the user from a local resource rather than linking directly to the external site. Here, instead of linking directly to an external site, a link points to redirect functionality at the local login.jsp page and passes in the os_destination as a parameter (allows you to redirect to any site).

If the user is already logged in, it doesn’t seem to matter which page the os_destination parameter is on. Even if it’s a page that doesn’t exist, it will still redirect the user immediately. For example:
https://jira.example.com/ThisCanBeAnything?os_destination=%2F%2Fatlassian.com

 os_destination parameter

• Points to the page to redirect after a successful login
• The manipulation of the argument os_destination leads to a privilege escalation vulnerability (Redirect).

{
“credential” : {
“type” : “form”,
“ttl” : 300000,
“action” : “http://some.server.com/login.action?os_destination=%2Fpages%2Fviewpage.action%3Ftitle%3DAcme%2B5%2BDocumentation%26spaceKey%3DAcme5”,
“params” : {
“os_username” : “username”,
“os_password” : “password”
}
}

}

loginUrl – The URL on which the first page that initializes the login chain is located