Data anonymiser does not blank out SMTP server username and password

SMTP server username and password are readable in database/xml export: This can possible security leak e.g. when you sent support request, where you send database export to support. Anonymizer does not remove these values. ---- Username and password should be encoded format in database...

Implement user lockout mechanism to stop bruteforce login attacks

Hacker can try as many time he wants to login JIRA. You can build client, which sends username+password combinations as many time as you like. .. and if you have username, it is much easier to get in. ---- Implementation ideas: 1 Lock user after sequential X incorrect logins - X can be set by...

Implement user lockout mechanism to stop bruteforce login attacks

Hacker can try as many time he wants to login JIRA. You can build client, which sends username+password combinations as many time as you like. .. and if you have username, it is much easier to get in. ---- Implementation ideas: 1 Lock user after sequential X incorrect logins - X can be set by...

Project Role Modifications not reflected in Issue Security Scheme

If you modify users/groups in a project's project role and this project uses an issue security scheme, you must remove the role and re-add it to the issue security scheme for the role changes to take effect. Steps to Reproduce: 1. Need to be the admin of a project whose issue creation screen has...

Project Role Modifications not reflected in Issue Security Scheme

If you modify users/groups in a project's project role and this project uses an issue security scheme, you must remove the role and re-add it to the issue security scheme for the role changes to take effect. Steps to Reproduce: 1. Need to be the admin of a project whose issue creation screen has...

Project Role Modifications not reflected in Issue Security Scheme

If you modify users/groups in a project's project role and this project uses an issue security scheme, you must remove the role and re-add it to the issue security scheme for the role changes to take effect. Steps to Reproduce: 1. Need to be the admin of a project whose issue creation screen has...

Need ability to limit use of remote API to certain users, or a certain group

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-7913. panel The remote API presents opportunities for denial of service attack. For example: RemoveSpace for a space with many...

Need ability to limit use of remote API to certain users, or a certain group

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-7913. panel The remote API presents opportunities for denial of service attack. For example: RemoveSpace for a space with many...

Need ability to limit use of remote API to certain users, or a certain group

The remote API presents opportunities for denial of service attack. For example: RemoveSpace for a space with many pages can take several minutes, and all other users are locked from the wiki until it completes Reading or writing pages too rapidly through the API can impact the responsiveness of...

Deleting user does not remove the user from a permission scheme

If a single user is added to a permission in a permission scheme, deleting this user will not remove him/her from the permission scheme. This results in stack traces in the logs such as: noformat 2007-02-14 14:10:57,882 WARN atlassian.jira.scheme.AbstractSchemeManager 'fred' is not a valid user...

Deleting user does not remove the user from a permission scheme

If a single user is added to a permission in a permission scheme, deleting this user will not remove him/her from the permission scheme. This results in stack traces in the logs such as: noformat 2007-02-14 14:10:57,882 WARN atlassian.jira.scheme.AbstractSchemeManager 'fred' is not a valid user...

Deleting user does not remove the user from a permission scheme

If a single user is added to a permission in a permission scheme, deleting this user will not remove him/her from the permission scheme. This results in stack traces in the logs such as: noformat 2007-02-14 14:10:57,882 WARN atlassian.jira.scheme.AbstractSchemeManager 'fred' is not a valid user...

XSS bug: usernames not HTML-encoded in all places

When signing up for an account, it is possible to enter a username like "fred". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting XSS attacks. Two places I've spotted the raw HTML so far: - Most prominently, when ...

XSS bug: usernames not HTML-encoded in all places

When signing up for an account, it is possible to enter a username like "fred". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting XSS attacks. Two places I've spotted the raw HTML so far: - Most prominently, when ...

XSS bug: usernames not HTML-encoded in all places

When signing up for an account, it is possible to enter a username like "fred". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting XSS attacks. Two places I've spotted the raw HTML so far: - Most prominently, when ...

Directory listing enabled on Tomcat

Tomcat has directory listing enabled by default. This allows browsing directories such as /images/. It seems that the filters do not take action in preventing the unauthorized access. When directory listing is disabled /conf/web.xml in Tomcat directory Jira gives 404 errors. See...

Directory listing enabled on Tomcat

Tomcat has directory listing enabled by default. This allows browsing directories such as /images/. It seems that the filters do not take action in preventing the unauthorized access. When directory listing is disabled /conf/web.xml in Tomcat directory Jira gives 404 errors. See...

Directory listing enabled on Tomcat

Tomcat has directory listing enabled by default. This allows browsing directories such as /images/. It seems that the filters do not take action in preventing the unauthorized access. When directory listing is disabled /conf/web.xml in Tomcat directory Jira gives 404 errors. See...

publically available usernames are a security risk

The login username of users is revealed all over the place in URLs that link to user profile, or user's list of assigned open bugs etc. This seems to be a big security risk, because you have given away half of the user identification to strangers. Anybody can look up a user in the issue tracker a...

publically available usernames are a security risk

The login username of users is revealed all over the place in URLs that link to user profile, or user's list of assigned open bugs etc. This seems to be a big security risk, because you have given away half of the user identification to strangers. Anybody can look up a user in the issue tracker a...

publically available usernames are a security risk

The login username of users is revealed all over the place in URLs that link to user profile, or user's list of assigned open bugs etc. This seems to be a big security risk, because you have given away half of the user identification to strangers. Anybody can look up a user in the issue tracker a...

IP restrictions on admin rights

A security conscience evaluator has requested the option to restrict administration access to a range of / a specific IP address/es...

IP restrictions on admin rights

A security conscience evaluator has requested the option to restrict administration access to a range of / a specific IP address/es...

Change a user's password remotely

I would like to be able to change a user's password remotely. Suggested API and implementation as follows: codevoid changePasswordUser admin, String username, String password throws RemoteException, RemoteValidationException, RemotePermissionException;code code public void changePasswordUser admi...

Change a user's password remotely

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-9921. panel I would like to be able to change a user's password remotely. Suggested API and implementation as follows: codevoid...

Change a user's password remotely

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-9921. panel I would like to be able to change a user's password remotely. Suggested API and implementation as follows: codevoid...

Don't send any notifications to disabled users

Once a user is disabled, they should not receive any notifications...

Don't send any notifications to disabled users

Once a user is disabled, they should not receive any notifications...

Don't send any notifications to disabled users

Once a user is disabled, they should not receive any notifications...

Support nested groups

panel:title=Resolved in Confluence 3.5|borderStyle=solid|borderColor=3C78B5|titleBGColor=3C78B5|bgColor=E7F4FA We are pleased to advise that support for nested groups is available in Confluence 3.5. You can find instructions on how to configure nested groups in our documentation: Configuring User...

Support nested groups

panel:title=Resolved in Confluence 3.5|borderStyle=solid|borderColor=3C78B5|titleBGColor=3C78B5|bgColor=E7F4FA We are pleased to advise that support for nested groups is available in Confluence 3.5. You can find instructions on how to configure nested groups in our documentation: Configuring User...

Confluence is not using the seraph logout url to define how to log out.

We need to update our use of seraph to delegate the definition of the logout url to seraph-config.xml h2. Workaround for Confluence 5.7.2 and older Find and copy /confluence/WEB-INF/lib/confluence-x.x.x.jar to a temp location with "x.x.x" representing your Confluence version number Extract the...

Confluence is not using the seraph logout url to define how to log out.

We need to update our use of seraph to delegate the definition of the logout url to seraph-config.xml h2. Workaround for Confluence 5.7.2 and older Find and copy /confluence/WEB-INF/lib/confluence-x.x.x.jar to a temp location with "x.x.x" representing your Confluence version number Extract the...

Confluence is not using the seraph logout url to define how to log out.

We need to update our use of seraph to delegate the definition of the logout url to seraph-config.xml h2. Workaround for Confluence 5.7.2 and older Find and copy /confluence/WEB-INF/lib/confluence-x.x.x.jar to a temp location with "x.x.x" representing your Confluence version number Extract the...

Project admin is presented with an option to select a Screen Scheme

The option of changing the scheme should only be given to the global admins...

Project admin is presented with an option to select a Screen Scheme

The option of changing the scheme should only be given to the global admins...

Project admin is presented with an option to select a Screen Scheme

The option of changing the scheme should only be given to the global admins...

NPE in SpaceHelper borks page....

If you have a url for Space admin : http://server.name.com/spaces/listdecorators.action?key=BP2I And you get the space key wrong, then rather than failing gracefully, you end up with an sitemesh decoration of an empty page.... Looking at the code, you can see why: public String getSpaceName retur...

NPE in SpaceHelper borks page....

If you have a url for Space admin : http://server.name.com/spaces/listdecorators.action?key=BP2I And you get the space key wrong, then rather than failing gracefully, you end up with an sitemesh decoration of an empty page.... Looking at the code, you can see why: public String getSpaceName retur...

NPE in SpaceHelper borks page....

If you have a url for Space admin : http://server.name.com/spaces/listdecorators.action?key=BP2I And you get the space key wrong, then rather than failing gracefully, you end up with an sitemesh decoration of an empty page.... Looking at the code, you can see why: public String getSpaceName retur...

A user cannot set the security level to none if the default security level is set

Selecting 'none' always creates an issue with the default security level...

A user cannot set the security level to none if the default security level is set

Selecting 'none' always creates an issue with the default security level...

A user cannot set the security level to none if the default security level is set

Selecting 'none' always creates an issue with the default security level...

"Change password" facility modify only a password in a local database, not in LDAP.

If jira is configured to use Ldap authentification and user change its password, Jira checks current password in ldap, but modify password in local database only. I think, the correct behaviour is to change both passwords -- in ldap, because this is the one which is realy used, and in local...

"Change password" facility modify only a password in a local database, not in LDAP.

If jira is configured to use Ldap authentification and user change its password, Jira checks current password in ldap, but modify password in local database only. I think, the correct behaviour is to change both passwords -- in ldap, because this is the one which is realy used, and in local...

LDAP authentication falls back to database check when password is incorrect

If a user is present in LDAP, but the entered password is incorrect, JIRA ought to immediately fail to authenticate them. Instead in 3.2-beta it delegates to the database, and checks the password there...

LDAP authentication falls back to database check when password is incorrect

If a user is present in LDAP, but the entered password is incorrect, JIRA ought to immediately fail to authenticate them. Instead in 3.2-beta it delegates to the database, and checks the password there...

LDAP authentication falls back to database check when password is incorrect

If a user is present in LDAP, but the entered password is incorrect, JIRA ought to immediately fail to authenticate them. Instead in 3.2-beta it delegates to the database, and checks the password there...

Logon with wrong user/password gives 'weird' errorpage.

Error screen after wrong login is 'weird'...

Logon with wrong user/password gives 'weird' errorpage.

Error screen after wrong login is 'weird'...