Preventing path disclosure in file upload functionality and Page export for security purposes

2021-07-15T09:11:20
ID ATLASSIAN:CONFSERVER-66587
Type atlassian
Reporter ac6d7f363e18
Modified 2021-11-14T04:35:37

Description

h3. Issue Summary

While performing the file upload vulnerability test in confluence application, we are able to identify the sensitive path disclosure in following cases. • When we attached some malicious file and tried to downloading all attachments. • When we uploaded malicious file and tried to export as word file. h3. Expected Results

A generic error message that does not reveal any sensitive information as error message in and remove the internal file path information from application h3. Actual Results

Sensitive information including path is visible in stack trace.

!Sensitive path disclosure error.PNG! h3. Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available