Confluence 2.8 : Confluence Security Advisory 2007-11-27
This page last changed on Nov 27, 2007 by smaddox.
In this advisory: Error formatting macro: toc: java.lang.NullPointerException
XSS Type 2 Vulnerabilities in Macros and Wiki MarkupSeverityAtlassian rates this vulnerability as HIGH, according to the scale published by the SANS Institute. The scale allows us to rank a vulnerability as critical, high, moderate or low, as described in the SANS vulnerability analysis. Risk AssessmentWe have identified and fixed some security flaws which may affect Confluence instances in a public environment. These flaws are XSS (cross-site scripting) vulnerabilities in some of Confluence's macros and Wiki Markup, which potentially allow a malicious user (hacker) to insert their own HTML tags or script into a Confluence page.
Atlassian recommends that you upgrade to Confluence 2.6.2 to fix the vulnerabilities described below. You can read more about XSS attacks at cgisecurity, CERT and other places on the web. Risk MitigationIf you judge it necessary, you can disable public access (e.g. anonymous access and public signon) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups only. VulnerabilityThe following macros are affected:
The Wiki Markup for inserting images (e.g. !myImage.png!) is also vulnerable to XSS exploitation. FixThe fix is to escape all user input, so that no user input is interpreted as HTML or CSS. In some cases we also perform stricter validation on the range of values a user can supply in an attribute. These issues have been fixed in Confluence 2.6.2. For more information, please see CONF-9350. Our thanks to Igor Minar, who reported this issue to Atlassian. We fully support the reporting of vulnerabilities and we appreciate his working with us towards identifying and solving the problem. Please let us know what you think of the format of this security advisory and the information we have provided. |
![]() |
Document generated by Confluence on Jun 24, 2008 18:01 |