Confluence 2.7 Temp Archive : Confluence Security Advisory 2007-12-14
This page last changed on Dec 13, 2007 by smaddox.
In this advisory: XSS Vulnerability in Configure RSS Feed ActionSeverityAtlassian rates this vulnerability as HIGH, according to the scale published by the SANS Institute. The scale allows us to rank a vulnerability as critical, high, moderate or low, as described in the SANS vulnerability analysis. Risk AssessmentWe have identified and fixed a security flaw which may affect Confluence instances in a public environment. This flaw is an XSS (cross-site scripting) vulnerability in a Confluence action, which potentially allows a malicious user (hacker) to embed their own JavaScript into a Confluence page.
To fix the vulnerabilities described below, Atlassian recommends that you take one of the following steps:
You can read more about XSS attacks at cgisecurity, CERT and other places on the web. Risk MitigationIf you judge it necessary, you can disable public access (e.g. anonymous access and public signon) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups only. VulnerabilityA hacker can inject their own JavaScript into the following Confluence action: http://www.anyhost.com/confluence/dashboard/configurerssfeed.action
The above Confluence action is used to build an RSS feed based on your Confluence pages and news items. The action is invoked when a selects 'Feed Builder' from your Confluence Dashboard. It can also be invoked by simply entering the URL into the browser address bar. FixThese issues have been fixed in Confluence 2.7, which you can download from the download centre. A patch is available for Confluence 2.5.8 and Confluence 2.6.2. For more information, please see CONF-10164. Our thanks to jeff peichel, who reported this issue to Atlassian. We fully support the reporting of vulnerabilities and we appreciate his working with us towards identifying and solving the problem. Please let us know what you think of the format of this security advisory and the information we have provided. |
![]() |
Document generated by Confluence on Dec 20, 2007 18:52 |