Confluence 3.5 : Confluence Security Advisory 2008-09-08
This page last changed on Sep 29, 2008 by smaddox.
In this advisory: XSS Bug: Usernames Not HTML-Encoded in All PlacesSeverityAtlassian rates this vulnerability as HIGH, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a security flaw which allowed certain users to circumvent Confluence's security measures, by including HTML markup in their own username. This could allow a malicious user to execute Javascript on another user's authenticated session. The following Confluence versions are vulnerable: All versions from 1.0 to 2.9. Risk MitigationIf the user specified a username that included HTML markup (which could include Javascript), in some places Confluence would not correctly escape this source before displaying it. This could result in Javascript being executed in another user's authenticated session. To address the issue, you should update your Confluence instance as soon as possible (or follow the patch instructions on the issue). VulnerabilityThis is a classic Cross-Site Scripting issue where usernames could include malicious Javascript. FixThis issue has been fixed in Confluence 2.9.1 (see the release notes), which you can download from the download centre. For more information, see issue CONF-7615 which has instructions on how to patch the affected velocity template. Inherited Page Restrictions Are Not Applied After 2.9 UpgradeSeverityAtlassian rates this vulnerability as HIGH, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a security flaw that caused any content permission inherited by a page to be lost during the upgrade process to Confluence 2.9. The following Confluence versions are vulnerable: Version 2.9; specifically instances of Confluence that were upgraded to version 2.9 (from an earlier version) only. Risk MitigationThis issue can be resolved by following the steps under Fix, or upgrading to Confluence 2.9.1. If this cannot be done immediately, it may be prudent to manually apply restrictions to each page that is normally protected by inherited restrictions (that is, all child pages residing under a restricted page). Enacting the fix is trivial and should take around ten minutes for a typical Confluence instance. VulnerabilityIf you had given a parent page restrictions prior to the 2.9 upgrade, then any child pages that should be inheriting these restrictions are no longer restricted. This potentially renders these child pages viewable and editable by Confluence users who should not have these rights. However you should note that any space level restrictions are still respected so these affected pages are only opened as far as the space level security allows for your site. Note for individual pages where you have manually set the permissions, those pages are not at risk — just the pages underneath them using inherited permissions. FixThis issue has been fixed in Confluence 2.9.1 (see the release notes), which you can download from the download centre. Alternatively, you can apply the manual fix, which involves a simple series of actions in the Confluence administration screens. For more information see issue CONF-12911. Access Vulnerability in View Wiki Markup FunctionSeverityAtlassian rates this vulnerability as HIGH, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a security flaw which allows users who don't have the correct 'View Page' permission in a space to view the Wiki Markup source of the page content. The following Confluence versions are vulnerable: Version 2.9 only. Risk MitigationIf a user knows the URL to view the source of a page they will be able to bypass Confluence's security checks. This will allow the user to view the contents of a page they aren't meant to see. VulnerabilityIf a user knows the ID of a page that they do not have 'View Page' permission for they can use the view source URL to view the Wiki Markup of a page. This will allow them to copy and paste the contents of the page to another location, or simply read the markup and deduce its final content. Note: the user will need to know the page ID of a page. Confluence will not provide any links to the restricted page through a search or other navigation. FixThis issue has been fixed in Confluence 2.9.1 (see the release notes), which you can download from the download centre. For more information see issue CONF-12845. Access Vulnerability in Copy Page FunctionSeverityAtlassian rates this vulnerability as HIGH, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a security flaw which allows users who don't have the correct 'View Page' permission in a space to copy a page and therefore see its content. The following Confluence versions are vulnerable: All versions from 1.0 to 2.9. Risk MitigationIf a user knows the URL to copy a page they will be able to bypass Confluence's security checks. This will allow the user to view the contents of a page they aren't meant to see. VulnerabilityIf a user knows the ID of a page they do not have permissions for, they can use the copy page URL to copy the page to a space where they do have permission. This will allow them to create a new page based on the content of a page they aren't meant to see. FixThis issue has been fixed in Confluence 2.9.1 (see the release notes), which you can download from the download centre. Alternatively, you can download and install the patch for Confluence 2.7.3 or 2.8.2 from our JIRA site – see issue CONF-12859. Instruction on installing the patch can be found here. Access Vulnerability in Diff Page FunctionSeverityAtlassian rates this vulnerability as HIGH, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a security flaw which allows users who don't have the correct 'View Page' permission in a space to create a diff of a page (a comparison of its contents with another page) and therefore see its content. The following Confluence versions are vulnerable: All versions from 1.0 to 2.9. Risk MitigationIf a user knows the URL to perform a diff of a page they will be able to bypass Confluence's security checks. This will allow the user to view the contents of a page they aren't meant to see. VulnerabilityIf a user knows the ID of a page they do not have permissions for, they can use the 'Diff Page' URL to compare the contents of that page with one where they do. This will allow them to deduce the contents of a page they don't have access to. FixThis issue has been fixed in Confluence 2.9.1 (see the release notes), which you can download from the download centre. Alternatively, you can download and install the patch for Confluence 2.7.3 or 2.8.2 from our JIRA site – see issue CONF-12860. Instruction on installing the patch can be found here. Our thanks to Neeraj Jhanji from Atlassian Partner ImaHima, who reported the copy and diff page issues to Atlassian. We fully support the reporting of vulnerabilities and we appreciate it when people work with us towards identifying and solving a problem. |
![]() |
Document generated by Confluence on Mar 16, 2011 18:29 |