Embedded Crowd passes sensitive paramaters in the URL when adding a new or editing an existing user directory.

Type atlassian
Reporter dgnoato@atlassian.com
Modified 2020-09-23T22:00:45


h3. Issue Summary While adding a new directory or editing an existing one the embedded crowd passes {{directoryId}}, {{xsrfTokenName}} and {{xsrfTokenValue}} parameters to the URL.

h3. Environment

Bitbucket 6.9.X, 7.4.X, 7.5.X, 7.6.X

h3. Steps to Reproduce

In Bitbucket navigate to Gear Icon > User Directories;

Click {{Add Directory}} and chose any option;

Or edit an existing user directory;

h3. Actual Results

Crowd will form a URL with the following details in it

  • While adding a new user directory {code} <BASE URL>/plugins/servlet/embedded-crowd/configure/activedirectory/?xsrfTokenName=<TOKEN_NAME>&xsrfTokenValue=<TOKEN_VALUE> {code}

  • While editing an existing user directory {code} <BASE URL>/plugins/servlet/embedded-crowd/configure/ldap/? directoryId=<DIR_ID>&xsrfTokenName=<TOKEN_NAME>&xsrfTokenValue=<TOKEN_VALUE> {code}

h3. Expected Results

Embedded Crowd should hide the parameters from the URL

h3. Notes

The URL shows sensitive details about the application that could lead to security issues.

h3. Workaround No workaround available at the moment.