Confluence Docs 2.10 : Confluence Security Advisory 2008-05-21
This page last changed on Sep 29, 2008 by smaddox.
In this advisory: Error formatting macro: toc: java.lang.NullPointerException
Users can Move Attachments to Any Page Regardless of PermissionsSeverityAtlassian rates this vulnerability as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a security flaw which allows users who have 'Create Page' permission in a space to move an attachment from a page in that space to any other page in the Confluence site, regardless of the user's permissions in the destination space. The following Confluence versions are vulnerable: All versions from 1.0 to 2.8.0. Risk MitigationThis security flaw grants extra powers only to users who already have 'Create Page' permissions in one of the spaces on the Confluence site. In most installations, this will be a trusted group of users. If your Confluence instance allows a less trusted group of users to create and edit pages in one space, while restricting access to other spaces, you may judge it necessary to disable public access (e.g. anonymous access and public signon) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups only. VulnerabilityAny user who has 'Create Page' permission in a Confluence space can move an attachment from a page in that space to any other page in the Confluence site, regardless of the user's permissions in the destination space. Note: If a user has permission to create a space, they will also have 'Create Page' permission in any space they create, including a personal space. Such users could upload an attachment onto the space they have created and then move the attachment to any page in the Confluence site. FixThis issue has been fixed in Confluence 2.8.1 (see the release notes), which you can download from the download centre. Alternatively, you can download and install the patch for Confluence 2.7.x or Confluence 2.8.0 from our JIRA site – see issue CONF-11452. Our thanks to Stafford Vaughan from CustomWare, who reported this issue to Atlassian. We fully support the reporting of vulnerabilities and we appreciate it when people work with us towards identifying and solving a problem. XSS Vulnerability in Page Information ViewSeverityAtlassian rates this vulnerability as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a security flaw which may affect Confluence instances in a public environment. This flaw is an XSS (cross-site scripting) vulnerability in a Confluence action, which potentially allows a malicious user (hacker) to embed their own JavaScript into a Confluence page.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web. The following Confluence versions are vulnerable: All versions from 1.3 to 2.8.0 inclusive. Risk MitigationIf you judge it necessary, you can hide referrers on page information views by disabling this functionality. VulnerabilityA hacker can inject their own JavaScript into the referrer URLs which are displayed on the 'Info' view of a wiki page. The rogue JavaScript will be executed when a user opens the 'Info' view. FixThis issue has been fixed in Confluence 2.8.1 (see the release notes), which you can download from the download centre. Alternatively, you can download and install the patch for Confluence 2.7.x or Confluence 2.8.0 from our JIRA site – see issue CONF-11524. |
![]() |
Document generated by Confluence on Dec 03, 2008 15:04 |