4295 matches found
Intermittent Session Lost During Add/Edit Page in Firefox
We customized Seraph to integrate with our SSO Server. Seraph will perform session validation through cookies. When using firefox, we found that in 1 out of 5 to 8 times when we edit a page or add a new page, we will lose our session and be directed back to the login page. This does not happen in...
Google Chrome shows mixed content warning
Hello, when JIRA is requested via https with Google Chrome 6.0.472.63 on all URLs of JIRA https is in red, crossed out and a padlock with red cross is shown with this description: "Your connection is encrypted with 128-bit encryption. However, this page includes other resources which are not...
XSS vulnerability in Office Connector
We have identified and fixed a cross-site scripting XSS vulnerability in the Confluence Office Connector. An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server. An...
Page view restriction is not inheriting to child pages in some spaces
When a new page is created using the create-page macro the child page does not have restrictions inherited. This is only happening for a few spaces. If I try the same macro in another space it will work fine. I have rebuilt the ancestors table but this issue is still happening. Please advise...
Confluence should not allow configuration of Office Connector temporary storage location
Earlier versions of Confluence allow the administrator to set the temporary storage location for the View File macro, part of the Office Connector. Provided an attacker has gained administrative access to the system in some way, they could then exploit this vulnerability to save malicious files...
Property for enabling/disabling viewage of Jira administrators
As of JRA-21004, it also happened that the Administrator page does not show the administrators anymore. This patch is enables through one property in jira-atlassian.properties, and it resolves severall problems. We would prefer that there is a property like jira.administrators.show=true/false,...
websudo annotation backwards compatibility (Confluence 3.3)
Following this guide|http://confluence.atlassian.com/pages/viewpage.action?pageId=219021702, I started to use the websudo annotations to secure an XWork action that would process a form in the space admin tab. The plugin is meant to work with Confluence 3.3 and I haven't released a public version...
XSS in mailpage plugin
XSS vulnerability has been reported against the mailpage plugin. It allows an attacker to execute arbitrary javascript. A new version of the issue has been released that fixes this problem...
500page.jsp Improvements
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-19601. panel Some further improvements to the 500page.jsp: The following should not appear if there is no stack trace: quote Cau...
The system paths are to be locked down to the JIRA Home directory
Currently JIRA allows you to change system file paths at runtime. While convenient, this allowed an attacker to elevate his/her stolen system admin access into a situation where he/her can execute arbitrary code. A decision has been made to remove the ability to set the paths at run time. For new...
XSS in page renderer
An XSS vulnerability has been identified in the page renderer. This issue provides a fix for this problem. The severity of this issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for other security related issues as well as more information on how we rate issues...
Only strings are encoded
The XML encoder only encodes strings. This could make Confluence return non encoded content. This issue is rated HIGH. Please see http://confluence.atlassian.com/x/ZILmD for more security related issue and more information on how we rate issues...
Anonymise config files in support zip
Files included in the generated zip file could contain private information. This issue addresses that by removing all sensitive information before creating the zip. The severity of this issue is HIGH. Please see http://confluence.atlassian.com/x/ZILmD for other security related issues and...
XSS vulnerability in search
An XSS vulnerability has been found in the searching component of Confluence...
Miscellaneous support-related JSPs contain XSS holes
JIRA contains a number of support related JSPs that have been added over the years. They were mostly for fighting spam and other support related tasks. Unfortunately none of these were ever tested very much and contain a lot of XSS holes. They are: groupnames.jsp indexbrowser.jsp...
xss vulnerability in issuelinksmall.jsp
Thanks to NASA / JPL for discovering this: Cross-Site Scripting XSS related to http://oursite/jira/includes/snippets/issuelinksmall.jsp?%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E=has...
A link to Re-Indexing is visible to users even if they are not sys admin
I saw this on EACJ where I am not a sys admin quote XXXX made configuration changes in section 'Custom Fields' at 01/Feb/10 1:16 PM. It is recommended that you perform a re-index. For more information, please click the Help icon. To perform the re-index now, please go to the 'Indexing' section...
Version number
I notice that the JIRA footer displays the current version of JIRA. Revealing the specifics of the revisions of software that you run in production is generally considered a bad security practice. Is there a reason that it is displayed openly to all users in licensed versions of the product? Is i...
Changing system locale means users with non-ASCII characters in their passwords cannot authenticate
The OSUser and Atlassian-User authenticators used by Confluence convert a password into bytes before hashing it. This conversion doesn't specify which encoding should be used, so the system's default encoding is used. If the system administrator changes the locale settings on the server or change...
Confluence adminsistrators can still view a restricted page if the type in the URL or click on a link in an email
If I set page viewing restrictions on a wki page to one group of which I am a member, other users, including confluence adminsistrators, cannot see the page when navigating within the application. If they type in the URL of the restricted page or click on a link to the restricted page, then can...
CAPTCHA Option Should Exist for The Password Reset Form
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-20150. panel The password reset prompt allows an individual to reset any user's password. My company uses a standard employee id to use for t...
Randomised password not sent in email
When creating a user with password normally, the notification email to that new user will contain the password. However creating a new user and leave the password blank, JIRA randomly generates a password for that user, but the randomised password "is not sent" in the notification email to that...
Remove database passwords from the file system.
Currently if you connect Jira to an external database, you must store the database credentials on the file system either in the server.xml file Jira standalone, or in an equivalent file. This has security implications. Can we modify the application to not store this information on the file system...
User's Full Name is an XSS vector in Status Updates tab of User Profile
A user's full name is an XSS vector when viewing the "Status Updates" tab of the user profile. 1 Set a user's Full Name as "alertdocument.cookie". 2 Log out. 3 If anonymous access is disabled, log in as a different user, otherwise, continue as Anonymous. 4 Go to the profile page for the user...
Watchers can be added to a project without having rights in that project
A user of Jira at our site has found that two people he added to watchers on this project were only members of the Jira Users group and had no rights in the project. Therefore Jira silently did not send any notifications and they did not receive the information that the original user thought they...
admin gadget rest endpoint information leak
the admin rest endpoint can return admin-only information even if the end user is not an admin...
admin gadget rest endpoint information leak
the admin rest endpoint can return admin-only information even if the end user is not an admin...
XSS bug when unfavouriting a dashboard
When unfavouriting a dashboard with name 'alert'blah';' the javascript is executed. https://extranet.atlassian.com/display/QA/JIRA+Dashboards+Blitz+-+Mark%27s+Findings...
XSS vulnerability can be exploited on the WebDAV Configuration page
Steps: Go to WebDAV Configuration Enter 'alert"XSS"' Click on 'Add new regex' button The script will be executed. It will continue to be executed whenever a user clicks on the 'Save' button. This can be done by users in the confluence-admin group, so it could be used by them to gain access to...
XSS in user links
A user with username "alert"foo" that is linked to via \username markup results in script being executed. Curiously, viewing the space homepage of that user results in a blank page. This of course is prevented for public signup, but if the user gets created via other means, i.e. external user...
Viewfile macros do not respect page restrictions
Add a page Set viewing restrictions to user1 only Add an attachment - 'Sample.doc' Log in as user2 - confirm that you cannot see the restricted page Add a page, and use the viewfile macro Enter the location of the attachment on the restricted page The contents of the attachment can now be viewed ...
Jiraissues add icon mapping configuration is susceptible to XSS
Combined with XSRF susceptibility via CONF-15753; you can craft an attack to get elevated privileges in Confluence. !http://img.skitch.com/20090520-x5gug8e8q5snabtmm2i2kdx1p.jpg!...
Impropper sanitisation of attachment filenames allows header injection
An attacker can craft a specific attachment filename, or rename the file once it has been uploaded to introduce arbitrary headers into the response stream...
Redirect that works in 2.9 is broken in later Confluence versions
Adding a .jsp containing the following code will work in 2.9, but produces an exception in 2.10 when a parameter such as osdestination is supplied: code code Example URL: http://localhost:8080/confluence/login2.jsp?osdestination=%2Fdashboard.action Typical exception: quote...
Attachment list in popup doesn't escape filenames causing XSS hole
The filenames in the attachment list of the link popup aren't being escaped. If you upload an attachment with a filename including html it could be executed...
Restrict anonymous users from viewing user profiles.
Even if I start Confluence with -Dconfluence.disable.peopledirectory.anonymous=true, it is still possible to browse individual users by visiting a URL like https://wikiBaseUrl/display/accountName. This is a major security problem for us because it exposes: 1. The user's name 2. The user's ID 3. T...
Restrict access to page history to certain users (or groups)
panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-13247. panel A customer requested for a new feature to restrict access to page history only to a particular group or certain use...
It's possible to execute a workflow action without being logged in.
To reproduce, open Jira in two browser windows. In the first, navigate to an issue with an available workflow action. In the second, log out. In the first, perform one of the workflow actions. You'll see a page asking you to log back in, but the action has still been performed. To see this, in th...
default config values restored
This should be for 2.9.1 - this version was not yet available under "affects versions" when filing this bug. After updating from 2.9 to 2.9.1, most of my settings were overwritten by their default values. - public signup got enabled - the language changed back to english instead of german - e-mai...
Confluence breaks SSO integration (PATCH)
A long time ago when I wrote our authenticator for wikis.sun.com, I noticed that under some circumstances our SSO server didn't redirect back to wikis.sun.com correctly. It redirected to a confluence URI without specifying the host and the domain, which resulted in the browser ending up on our SS...
XSS vulnerability in create/edit/copy page and blogpost actions
panelThe following create/edit page URL's are vulnerable: - /pages/createpage.action - /pages/docreatepage.action - /pages/editpage.action - /pages/doeditepage.action on parentPageString panel Example of a maliciously crafted path:...
Remember my password with LDAP
At the login screen, when we click on 'Remember my login on this computer' and login, everything works well. When we close the browser without logout, the login should be remember on this computer. When we try to get back into Jira, here's the bug that we have into our log file. 2008-04-22...
Some users' logins are not remembered using Tomcat
When using Confluence, and Tomcat 5.5.26 or Tomcat 6 some users may find that their logins are not remembered. This is because of a bug in Tomcat's cookie handling. This is logged against the Atlassian Seraph library used by Confluence as SER-117. SER-117 has been fixed, so we "just" need to use ...
It's possible to browse project names when using Issue Security Scheme.
A customer user is set up and only allowed to see "External" issues. - The user is added as project role "Customers" in project "X". - The project got Issue Security Scheme "Customers". Internal / External When logging in as the customer user, you can only see the External issues within this...
Session isn't invalidated on logout
When the user logs out the HttpSession isn't invalidated. The important details of the logged in user and other information is correctly cleared but other properties such as user preferences are not. The impact is things like the label's section and location section's openness state isn't correct...
ClassCastException reported when stopping JIRA
When stopping tomcat wich hosts only Jira, there is always such stack trace in tomcat logs: code 2008-02-18 19:25:32,767: ERROR Thread-33 - org.apache.catalina.core.ContainerBase.Catalina.localhost./jira.release - ApplicationFilterConfig.doAsPrivilege java.lang.ClassCastException:...
Trusted authentication doesn't work for Confluence users with uppercase usernames
Trying to use the trusted authentication feature of the Jiraissues macro doesn't work when a user's username is uppercase. JIRA shows the following in its log: quote 2008-01-23 13:59:48,104 INFO STDOUT 2008-01-23 13:59:48,104 ajp-0.0.0.0-6103-8 WARN atlassian.seraph.filter.TrustedApplicationsFilt...
Project name that contains double-quote is not properly escaped on Issue Navigator page
If a project has a double-quote in its name, it's not xml-escaped when used in "title" attribute. For example, if we have a project named 14" monitors, the html will look like: 14" monitors This causes JIRA Client to hiccup on this page and lose a lot of functionality. On web browser, the title i...
"Forgot password" function allows easy misuse
The "Forgot password" function invents a new password and sends it by email. This invites to misuse as guessing the userid already allows to annoy or even lock-out the legitimate account owner. The user may currently not have access to his email account or the mail could be killed by a spam filte...
Move velocity templates and other web resources into WEB-INF in the Confluence webapp
It presents a small information leak, and is just tidier if we put all the internal stuff into WEB-INF...