4295 matches found
Expired user in Active Directory do not stop user from cloning via SSH
User who is bind with a SSH key can still clone while their account has expired on the Active Directory. However, this user will not able to login to Stash. Another scenario on the same concept works where the user bind with the SSH key is disabled in AD and that user will not be able to clone or...
Information disclosure - full path disclosure
Jira displays charts on the dashboard by writting a temporary file in Jira "tmp" folder and reading it through a page called "charts" When the filename provided to this page is not present, an error message displays the full path to the "tmp" folder, which lies in Jira directory. This is a...
Confluence search returns results from Questions, eventhough CQ does not have anonymous "can-use" permissions
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report|http://jira.atlassian.com/browse/CONFSERVER-47841. panel h4.Steps to Reproduce: Install CQ "1.0.618" or "1.0.618.001" Make sure that CQ does not have anonymous access Brow...
Domain restricted signup is creating enabled users on ApacheDS
When a user signs up to a Confluence instance that has domain restricted sign up enabled, they are normally created as disabled users and are unable to login. However, when the underlying user directory does not support disabling users, such as ApacheDS 1.5, then the user ends up being created as...
prevent crashing when running out of database connections
One common total crash for Confluence is when it does run out of database connection. Any reliable web application should be able to resist to a peak in number of request and not to fully crash when this happens. This is also a security issue because it means that anyone could easily bring the...
Processing malformed PNG by incoming mail handler causes OOM and blocks queue
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-38028. panel There are two problems: 1. OOM 2. Incoming email processing is blocked Looks like this is similar problem to JRA-35816, fixed in...
JSON-RPC API allows anonymous content rendering
The renderContent method can be used by anonymous users, leaking information, and allowing macro execution. Should the entire JSON-RPC be inaccessible to anonymous users if anonymous users can't use confluence?...
LDAP and Active Directory credentials are stored in plain text in database
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-31605. panel This information should be encrypted so that anyone with access to the database does not gain access to other syste...
Jira is logging SOAP body in default config - passwords included
In the default log4j.properties of Jira, there are settings for logging soap dumps. The config file does not explicitly enable the logging of soap dumps, but somehow, this happens, with usernames and passwords. For security, this should be fixed or removed from log4j config...
"Contact Administrators" Process Doesn't Exclude Disabled Administrators
h3. Steps to Reproduce: Create a new test user Add the newly created user into confluence-administrators group Disabled the new test user Access the following URL code/500page.jspcode Click the "Confluence Administrators" link which will redirect you to this URL...
Reflected XSS in 'where' param of doSearchSite
Olivier Beg reported quote noformathttps://confluence.atlassian.com/dosearchsite.action?queryString=%22%3E&startIndex=0&lastModified=LASTWEEK&where=confall%22%3E%3Cimg%20src=x%20onerror=alert1%3Enoformat I asume he is DOM based because he works in google chrome. quote This results in code:html co...
Reflected XSS in JIRA Admin Panel (Delete User)
The 'name' param in jira-components/jira-webapp/src/main/webapp/secure/admin/user/views/deleteuserconfirm.jsp is not sanitised, enabling arbitrary html/script execution. A url to demonstrate this issue is:...
Restricted Work Log entries show in the Activity Stream in JIRA Server
h3. Summary When using a group comment visibility on worklogs the restriction is not applied in the Activity Stream. h3. Steps to Reproduce Set up a test user JIRA Users. Enable comment visibility to support groups as per Configuring JIRA...
Webwork 2 code injection vulnerability
We have discovered a vulnerability in WebWork 2, which is a part of the Struts web framework. In specific circumstances, attackers can use this vulnerability to execute Java code of their choice on systems that use these frameworks. In case of Fisheye, the attacker needs to be able to access...
Disallow multiple sessions for an account
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-33586. panel It is currently possible to run several sessions under any account. Some customers prefer to restrict the number of sessions to...
The group # in crowd and confluence is different
I used confluence 4.3.7, and integrated with crowd 2.4.2 following the instruction. The issue is that a user is assigned to group confluence-users in crowd, but the group is not shown up in confluence . Here are what I did: Checking in confluence -- users -- detail, shows in groups: no...
JIRA changes base url without asking for admin authentication
If you access JIRA with the wrong url it tells you that and gives you the options of either hiding the message or updating the base url. If you click the "Update the base url" link, the base url WILL BE CHANGED to that, WITHOUT asking you for admin credentials...
Default application files available for download via the application server.
see: https://jira.atlassian.com/browse/JRA-31187 e.g. https://fisheye2.atlassian.com/s/1519/3/1.0//WEB-INF/ and https://fisheye2.atlassian.com/s/1519/3/1.0//WEB-INF/web.xml . FishEye shouldn't write any user data to the WEB-INF directory. The only files which are viewable there, should be the sam...
Webwork direct method invocation can bypass validatingStack through Action aliases
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-27294. panel WebWork supports the concept of action aliases, which allow a single action class to serve requests mapping to...
Persistent XSS in JIRA charting plugin Workload Pie Chart Report
The Workload Pie Chart Report included with the JIRA charting plugin contains a number of XSS vulnerabilities. This plugin is bundled with OnDemand. The configuration page contains an XSS vulnerability in custom field names. 1. Create a custom field with the name alert'custom field' 2. Try to...
Arbitrary resource file download in urlrewrite.xml
panel:bgColor=e7f4fa NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-26888. panel There is an arbitrary resource file download vulnerability triggered by a third party library...
/secure/admin/jira/AcknowledgeTask.jspa is an open redirect
The AcknowledgeTask.jspa page found under http://$HOST/secure/admin/jira/AcknowledgeTask.jspa can be used to redirect users to another page on the internet and possibly used to create a non-persistent xss flaw. Here is an example url which will direct a user to http://google.com...
Secure Section Macro
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-23637. panel This is a suggestion to create a new Macro/Plugin that worked similar to the Column Macro with the major difference...
Web Sudo should be able to be subverted for non browsers (eg scripts) via a HTTP header
We do this for XSRF protection. Basically you should be able to subvert the web sudo mechanism via a HTTP header. This posts shows the use case https://answers.atlassian.com/questions/1273/jira-jelly-runner-via-cron-in-v4-3-4 I believe it just as secure since web sudo is really design to stop som...
XSS vulnerability in login.action
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence login action. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:...
"Forgot Password" feature should not reveal that a given username exists within Confluence for security reason
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-22388. panel It is possible to see which user exists on Confluence or not from within "Forgot Password" link. This is bad for...
Ability to perform a bulk random password reset for users per project
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-23703. panel Would like to have the ability to perform a bulk password reset on user accounts for any particular JIRA project. Have recently...
XSS vulnerability in Create Space Button macro
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence create-space-button macro. XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including...
Increase the web session timeout from 60 minutes to 300 minutes
Usability and security testing have shown that XSRF time out is annoying people in the wild. The security guy Vitaly has ok'ed the limit to be increased. This has been done on trunk along with other changes and should be done on 4.3 branch as well...
XSS vulnerability in Confluence Space Names
We have identified and fixed a cross-site scripting XSS vulnerability in Confluence Space Names. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An attacker's te...
NullPointerException when there are no cookies and AccessLogRequestInfo is enabled
When using the filter-list and project-list plugins I ran into an issue where NullPointerExceptions were being thrown. I turned out the issue is in AccessLogRequestInfo when the Cookie header doesn't exists. The line that causes the exception is a log.debug line. I am including a patch that check...
Require user to answer CAPTCHA after three failed attempts
Require user to answer CAPTCHA after three failed attempts. For SOAP and XMLRPC this means that the user will have to open a browser to answer the CAPTCHA, similar to how google does it. This issue has been rated MODERATE. Please refer to http://confluence.atlassian.com/x/ZILmD for details on oth...
Mail support request accepts any e-mail address
The SupportUtility allows the user to enter an arbitrary e-mail address to send a copy of the e-mail to. This issue removes the option for users to enter an e-mail address to CC. This issue also introduces a flag that prevents the TO address from being changed through the web interface. By defaul...
JQL breaks issue security levels based on custom fields
The MultiSelectCustomFieldIndexer does 2 things: index but don't store a case-folded version in the field "customfield10017:retail" store a "raw" version in a new field with the raw added to the end "customfield10017raw:Retail" The problem is that com.atlassian.jira.security.type.GroupCF looks fo...
Include XSS security warning on HTML macro description in Wiki Markup Renderer
Include XSS security warning on HTML macro description in Wiki Markup Renderer. Derived from JRA-19802...
Unable to use HTTPS for login only
If you setup the urlrewrite.xml like so: noformat ^/s/.//download/images/^?. /images/$2 ^/s/.//^?. /$2 ^/login.action https https://localhost:8443/login.action ^/dologin.action https https://localhost:8443/dologin.action ^/. https /login.action. /dologin.action. /s/. http://localhost:8080/$...
Links from indexbrowser.jsp are vulnerable to XSS attacks
CONF-16888 has introduced or re-introduced an XSS vulnerability. To reproduce: Create a new user, and for the Full Name use: noformatalert'Vulnerable'noformat Go to ../admin/indexbrowser.jsp and find the entry Click on the entry, and the script is executed. This also happens for other content typ...
Logout is not working on QA-EAC
Select 'Log Out' from the user menu. Note that you haven't been logged out...
Update of jcaptcha
Update version of jcaptcha that we use...
EPIC FAIL: new user signups result in plain text email with all login details
After signing up to a JIRA instance, I got an email which simply amazed me - it contained: My username My email address My full name My password It was all there, right before me, in a plain-text unencrypted email sent across a public network. WTF?! I'm not sure which universe that's considered a...
CSRF attack message thrown when JSESSIONID is changed
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-15779. panel Symptoms: Anything that is using DWR will fail. Meaning: page editor is fully or partially unusable and it may...
Latex Plugin-Cross-site Scripting Error
Our security group scanned the plugin below and found the following issue for the Latex Plugin: Number System/Location Defect Type Status R1 Latex Plugin Client-side Attacks: Cross-site Scripting Open Description Security Risk: It is possible to steal or manipulate customer session and cookies,...
Issue security based on workflow status
I would be great if permission types could be associated with workflow status. What we would like to do is limit the ability to edit an issue by the reporter to a specific workflow status. Using the issue security scheme is not possible since the reporter should always be allowed to view the issu...
Password is being logged for 500 errors
The user passwords are being exposed in the log files when a 500 error happens. The following Jira solved the problem for the information displayed in the user Browser: http://jira.atlassian.com/browse/CONF-12360...
Email notifications for jiraissues macro reflect page owner permissions rather than permissions of notified user...
When a notification is sent out for a page that includes the \jiraissues\ macro, the list of issues is based on the page owner's permissions rather than the notified user's permissions. Here are the steps to reproduce: Set up the trust relationship between your JIRA and Confluence installs Create...
Boolean operators on user and group management
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-13634. panel Please consider this as a feature request for a future release of Confluence. Boolean operands on Space permission...
Hidden pages' content can be viewed without permission using copypage.action
If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL. EG: Two spaces A and B Page with id 1 is in Space A User cannot see Space A User can see Space B The following URL will allo...
XSS vulnerability in pagepicker.action and spacepagepicker.action
The following URL's are vulnerable: - /users/pagepicker.action - /users/spacepagepicker.action on formname, fieldname and currentspace panel:bgColor=99ff99 h4. Patch instructions for 2.6.x and 2.7.x 1. Shut down Confluence 2. Copy attached pagepicker.vm to confluence/users/ 3. Start up Confluence...
XSS vulnerability in signup actions
Vulnerable URL's: - signup.action - dosignup.action on username, email, password, confirm, fullname...
Project name that contains double-quote is not properly escaped on Issue Navigator page
If a project has a double-quote in its name, it's not xml-escaped when used in "title" attribute. For example, if we have a project named 14" monitors, the html will look like: 14" monitors This causes JIRA Client to hiccup on this page and lose a lot of functionality. On web browser, the title i...