4295 matches found
View PDF Macro in Office Connector makes http fetch from Adobe from https session
The View PDF macro within the Office Connector plugin provides the following http URL even for https sessions when a user's browser fails the Flash installed test. http://www.adobe.com/images/shared/downloadbuttons/getflashplayer.gif It's bad form to mix http urls in with secured https sessions a...
XSS Vulnerability in Administration Interface of JIRA Bamboo Plugin
We have identified and fixed a cross-site scripting XSS vulnerability in JIRA administration interface. Affected version is JIRA 4.3.x XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a JIRA page. You can read more about XSS attacks at various places on the web...
Inline attachment downloads vulnerable to XSS by setting tweaked HTML content type
Please see CONFDEV-9069 https://jira.atlassian.com/browse/CONFDEV-9069 for the current issue addressed at fixing attachment XSS vulnerabilities. --- TLDR: white-list mime-types which can be served "inline" and don't let the user set arbitrary mime-types. I have been having a good laugh sorry...
Better error message when viewing an embedded calendar as an unprivileged user
On our site's dashboard I have a calendar macro defined as: codecalendar:id=8f564b4b-afed-4ceb-b206-2e426f595648,a80c628d-5155-40bc-8a55-0874fb77bf71code The result is something that looks like this: !User with View Rights.JPEG! After using the new features from TEAMCAL-102 to restrict view acces...
GeneralUtil.htmlEscapeQuotes should be annotated HtmlSafe
The GeneralUtil.htmlEscapeQuotes method outputs HTML and thus should be annotated as @HtmlSafe. Not doing so causes its output to be double escaped when automatic escaping is enabled for the plugin/velocity template...
On internal error, JIRA will display error information to the user (in the browser)
When JIRA bundled tomcat?? encounters an internal error it displays error information to the user in the browser. This can leak internal, possibly sensitive, information. It should report that there was an error and inform the user to contact their JIRA admin...
Members of confluence-administrators receive notifications for comments and attachments on restricted pages
Members of the special confluence-administrators group have access to all content on the site, however they should not see restricted content in search results or get notifications about changes on restricted pages. There is a bug in the permission check for notifications about "contained" object...
When configured for Internal Database with LDAP for Authentication Only, Confluence does not check the LDAP when authenticating users
Configured Confluence to keep and manage users in its internal database, but to first try to use LDAP for authentication only, via the new interface. Debug output suggests Confluence is not bothering to check the LDAP at any point during the authentication process. More detail is available here:...
"Forgot Password" feature should not reveal that a given username exists within Confluence for security reason
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-22388. panel It is possible to see which user exists on Confluence or not from within "Forgot Password" link. This is bad for...
Profile picture thumbnail generation can consume unlimited amount of memory
Discovered a Studio customer, you can upload a very large profile picture to expose the same problem as CONF-21480, just in a different area of the application. We should limit the size of images we're willing to load into memory to avoid this problem with user pictures...
User Enumeration
Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that at least two vulnerabilities regarding User Enumeration were found within the software. Case 1: Logged In Whenever a logged user accesses the Url...
Admin menu items displayed to non-admins when accessing "Global Templates" page
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-21562. panel When accessing the "Global Templates" menu as a non-admin, the navigation controls for the administration panel are...
Increase the web session timeout from 60 minutes to 300 minutes
Usability and security testing have shown that XSRF time out is annoying people in the wild. The security guy Vitaly has ok'ed the limit to be increased. This has been done on trunk along with other changes and should be done on 4.3 branch as well...
Security Vulnerability in Confluence Remote API
We have identified and fixed a vulnerability in the Remote API which affects Confluence instances, including publicly available instances. The Remote API|http://confluence.atlassian.com/display/DOC/Enabling+the+Remote+API allows an attacker to escalate user privileges, excluding the level of syst...
Non-secure content warning in IE8 on the Dashboards screen caused by the wiki renderer
Wiki renderer-generated contents e.g. in the activity stream include references to icons with http prefix that cause IE8 to generate security warnings for JIRA instances accessible via HTTPS. To reproduce it, have contents in the activity stream gadget contain icons included by the wiki renderer,...
XSS vulnerability in the Office Connector
We have identified and fixed a cross-site scripting XSS vulnerability which may affect Confluence instances in a public environment. The XSS vulnerability is exposed in the document import function of the Confluence Office Connector. An attacker might take advantage of the vulnerability to steal...
websudo annotation backwards compatibility (Confluence 3.3)
Following this guide|http://confluence.atlassian.com/pages/viewpage.action?pageId=219021702, I started to use the websudo annotations to secure an XWork action that would process a form in the space admin tab. The plugin is meant to work with Confluence 3.3 and I haven't released a public version...
sudo is decorated with global decorator
The reasoning behind preventing theme developers from theming the admin areas was because if you don't know what you are doing then you can mess things up to such an extent that you are unable to use confluence. By decorating the sudo login pages using the global decorator it exposes the user to...
XSS vulnerability in PDF export
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence action that performs the export to PDF. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's o...
Not all error strings are encoded
A XSS vulnerability where a string could bypass the Anti-XSS mechanism has been identified. This issue corrects this problem. The severity of this issue is rated as LOW. Please see http://confluence.atlassian.com/x/ZILmD for information on other security related issues and our rating system...
brute force password attack protection by default
We have added an upgrade task to set jira.maximum.authentication.attempts.allowed=5 on all instances even if they previous had set it to something else. This is to ensure that systems are more safe by default...
Group picker popup JSP has XSS hole if group names are XSS shaped
If a group name has a XSS shaped name, then the group picker will allow scripts to be executed...
500page.jsp contains HTTP Header XSS vulnerability
The 500page.jsp contains an XSS vulnerability via the 'Referrer' HTTP header...
screenshot-redirecter.jsp XSS attach via the afterURL parameter
The screenshot-redirector.jsp does note escape the 'afterURL' URL parameter correctly, leading to an XSS attack vector...
issuelinkssmall.jsp has an XSS hole via the URL used to access it
The issuelinkssmall.jsp has an XSS hole, where if the URL contains an XSS string, the ww:url tag will include that tag in the page because the value attribute was left empty...
JQL breaks issue security levels based on custom fields
The MultiSelectCustomFieldIndexer does 2 things: index but don't store a case-folded version in the field "customfield10017:retail" store a "raw" version in a new field with the raw added to the end "customfield10017raw:Retail" The problem is that com.atlassian.jira.security.type.GroupCF looks fo...
Confluence adminsistrators can still view a restricted page if the type in the URL or click on a link in an email
If I set page viewing restrictions on a wki page to one group of which I am a member, other users, including confluence adminsistrators, cannot see the page when navigating within the application. If they type in the URL of the restricted page or click on a link to the restricted page, then can...
deleted page is still accessible in Confluence when accessing via viewpage.action?pageId in the url
Deleted pages can still be accessed in Confluence when one enters their pageId in the url. For example: noformat http://confluence.atlassian.com/pages/viewpage.action?pageId=196837485 http://confluence.atlassian.com/display/CONFKB/Office+Connector noformat The links above are referring to the sam...
XSS in header for Personal Spaces
Create a user with username "alert'hahahaha' User creates a personal space Try to add a page to the personal space This is caused by code code However since the personal space doesn't work too well with usernames with crazy letters, I don't think its a Blocker...
Logout is not working on QA-EAC
Select 'Log Out' from the user menu. Note that you haven't been logged out...
XSS vulnerability can be exploited with the Userlister macro
Use the following markup: noformatuserlister:groups=alert'Vulerable'noformat Whenever the page is viewed, the script will be executed...
XSS vulnerability can be exploited with the Userlister macro
Use the following markup: noformatuserlister:groups=alert'Vulerable'noformat Whenever the page is viewed, the script will be executed...
XSS bug when unfavouriting a dashboard
When unfavouriting a dashboard with name 'alert'blah';' the javascript is executed. https://extranet.atlassian.com/display/QA/JIRA+Dashboards+Blitz+-+Mark%27s+Findings...
XSS vulnerability in space name when page move would create a duplicate
Create a space called alert"XSS"; Find a page named 'Home' in a different space Move this page, choosing the previously created space as the destination The move will fail due to the duplicate page name, and the script will be run...
Viewfile macros do not respect page restrictions
Add a page Set viewing restrictions to user1 only Add an attachment - 'Sample.doc' Log in as user2 - confirm that you cannot see the restricted page Add a page, and use the viewfile macro Enter the location of the attachment on the restricted page The contents of the attachment can now be viewed ...
Jiraissues add icon mapping configuration is susceptible to XSS
Combined with XSRF susceptibility via CONF-15753; you can craft an attack to get elevated privileges in Confluence. !http://img.skitch.com/20090520-x5gug8e8q5snabtmm2i2kdx1p.jpg!...
Shared Filter properties exposed without authentication
Some URLs are not protected by authentication which could expose some properties in JIRA that users may not wish to reveal. Example 1: Searching filters http://support.atlassian.com/secure/ManageFilters.jspa?filterView=search Example 2: Viewing properties of filters. I can see custom fields, sear...
Import Pages is not restricted to system admins
The Import pages actions is currently restricted to space admins not system admins like it should. Caused by CONF-10039...
Partial space admin permission/authority
I followed these guidelines, but this is not fine grained enough. http://confluence.atlassian.com/display/DOC/Global+Permissions+OverviewGlobalPermissionsOverview-confluenceadmin We need to prevent space admin adding new permission to their space. We prefer to manage space permission by the...
Update JIRA certificate for Screenshot Applet and others. It expires in June 2009
See https://extranet.atlassian.com/jira/browse/ADM-3253 Move Steves branch into trunk in the process. Also I think the build environment might need direct updating...
Fix header injection vulnerabilities
A number of vulnerabilities were found during JRA-16024 which expose JIRA to header injection attacks: Note that different application server configurations may expose or hide the presence of a header injection vulnerability. Standalone tomcat is usually not vulnerable. Tomcat 5.5.26 redirects al...
Fix header injection vulnerabilities
A number of vulnerabilities were found during JRA-16024 which expose JIRA to header injection attacks: Note that different application server configurations may expose or hide the presence of a header injection vulnerability. Standalone tomcat is usually not vulnerable. Tomcat 5.5.26 redirects al...
XSS bug in wiki markup link rendering
The following wikimarkup creates links with an onclick event. noformat test link|mailto:[email protected]" onclick="alert'hi. I am a fun onclick event' test link|mailto:[email protected]" onclick="alert'hi. I am a fun onclick event' noformat This is due to the following code in...
XSS in bookmarks plugin
The bookmarking code under the url http://localhost:8080/plugins/socialbookmarking/updatebookmark.action is vulnerable to XSS attacks using the spaceKey parameter: submitting the following code will execute javascript: spaceKey=%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3E%22%3E IMPORTANT:...
default config values restored
This should be for 2.9.1 - this version was not yet available under "affects versions" when filing this bug. After updating from 2.9 to 2.9.1, most of my settings were overwritten by their default values. - public signup got enabled - the language changed back to english instead of german - e-mai...
Pages that inherit page restrictions are not respecting those restrictions after upgrade to Confluence 2.9
Tested and verified in both customer enviornment and in test enviornment. In the event that you have a parent page restriction and a child page that inherits that restriction, upon upgrade, 2.9 will only respect the explicit parent permission in terms of security trims and actual access but not...
Hidden pages' content can be viewed without permission using diffpages.action
If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL. EG: Two spaces A and B Page with id 1 is in Space A Page with id 2 is in Space B User cannot see Space A User can see Space ...
Hidden pages' content can be viewed without permission using copypage.action
If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL. EG: Two spaces A and B Page with id 1 is in Space A User cannot see Space A User can see Space B The following URL will allo...
Confluence breaks SSO integration (PATCH)
A long time ago when I wrote our authenticator for wikis.sun.com, I noticed that under some circumstances our SSO server didn't redirect back to wikis.sun.com correctly. It redirected to a confluence URI without specifying the host and the domain, which resulted in the browser ending up on our SS...
XSS using onerror
We had a user enter a viagra ad that actual redirected to their site. I think the offending code was here: although obviously they didn't use example.com I've attached the whole page for examination...