Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
atlassian63948a2d3746CONFSERVER-93442
HistoryDec 01, 2023 - 3:01 p.m.

Confluence XHR requests have the wrong content type

2023-12-0115:01:46
63948a2d3746
jira.atlassian.com
6
confluence xhr
wrong content type
payload validation
firewall exception
network equipment
packet inspection
save for later
deselect page
discard draft
delete draft
delete link

7.1 High

AI Score

Confidence

High

JSON

h3. Problem

Watching or Stop watching a Confluence page and other operations (see below list of identified endpoints) will generate a request like the one below (copied as curl from HAR capture for convenience):
{code:java}
curl ‘https://confluence/rest/api/user/watch/content/9999999
-X ‘DELETE’
-H ‘authority: k8s-55855.prod.atl-cd.net
-H ‘accept: application/json, text/javascript, /; q=0.01’
-H ‘accept-language: en-GB,en-US;q=0.9,en;q=0.8’
-H ‘cache-control: no-cache’
-H ‘content-type: application/json’
-H ‘cookie: sanitised’
-H ‘origin: https://confluence
-H ‘pragma: no-cache’
-H ‘referer: https://confluence/display/TROL/2023-12-01+Meeting+notes
-H ‘sec-ch-ua: “Google Chrome”;v=“119”, “Chromium”;v=“119”, “Not?A_Brand”;v=“24”’
-H ‘sec-ch-ua-mobile: ?0’
-H ‘sec-ch-ua-platform: “macOS”’
-H ‘sec-fetch-dest: empty’
-H ‘sec-fetch-mode: cors’
-H ‘sec-fetch-site: same-origin’
-H ‘user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36’
-H ‘x-requested-with: XMLHttpRequest’
–data-raw ‘atl_token=12345abcdef67890abcdef’
–compressed
{code}
Although the {{content-type}} of this DELETE request is set to application/json the payload is plain text. To be a valid JSON should be set to {{{}“atl_token=12345abcdef67890abcdef”{}}}.

Request like the above can cause problem when there is a strict check of the compliance between the {{content-type}} and the payload, e.g. made by a firewall or other network equipments which perform packet inspections.

We should either change the {{content-type}} we set to include also {{text/plain}} or add double quotes around the atl_token=12345abcdef67890abcdef so that the JSON validation pass.

Endpoints reported as Affected

  • “Save for Later” (make favourite) a Page
    {code:java}
    Request URL: https://CONFLUENCE_HOME/confluence/rest/experimental/relation/user/current/favourite/toContent/<PAGE_ID>
    {code}

  • Deselect a Page as Favourite
    {code:java}
    Request URL: https://CONFLUENCE_HOME/confluence/rest/experimental/relation/user/current/favourite/toContent/<PAGE_ID>
    {code}

  • Discard an Unpublished Draft (Existing Page)
    {code:java}
    Request URL: https://CONFLUENCE_HOME/confluence/rest/synchrony/1.0/content/<PAGE_ID>/changes/unpublished
    {code}

  • Delete a Draft (Never Published Page)
    {code:java}
    Request URL: https://CONFLUENCE_HOME/confluence/rest/api/content/<PAGE_ID>?status=draft
    {code}

  • Delete a Link on the Side Bar
    {code:java}
    Request URL: https://CONFLUENCE_HOME/confluence/rest/ia/1.0/link/<LINK_ID>
    {code}

h3. Workaround

Set an exception on the firewall to allow this incorrect requests.

Affected configurations

Vulners
Node
atlassianconfluence_data_centerRange7.19.16
OR
atlassianconfluence_data_centerRange8.5.6
OR
atlassianconfluence_data_centerRange7.19.20
OR
atlassianconfluence_data_centerRange8.8.1

7.1 High

AI Score

Confidence

High

JSON