[#CONF-10807] Users with view permissions on a space are able to delete (purge) pages they don't have permission to edit/access

Confluence

Users with view permissions on a space are able to delete (purge) pages they don't have permission to edit/access

Created: 25/Feb/08 12:05 AM Updated: 25/Mar/08 12:08 PM

Component/s:

Security

Affects Version/s:

2.4.3, 2.7, 2.7.1

Fix Version/s:

2.7.2

Time Tracking:

Not Specified

File Attachments:

patch-2.5.x-2.6.x.zip (1 kB)
2.

PurgeTrashItemAction.class (3 kB)

Environment:

all

Issue Links:

Cloners

This issue is derived from:

~~CONF-11149~~ XSS vulnerability in browseusers.vm

Participants:	Andrew Miller, Dave Loeng [Atlassian], Jeff Turner [Atlassian] and Neeraj Jhanji [Atlassian]
Since last comment:	38 weeks, 4 days ago
Internal Complexity:	2
Resolution Date:	04/Mar/08 05:50 PM
Internal Value:	7
Labels:

Description

« Hide

If a user has at least view permissions on a space they can purge any page in that space using the URL:

/pages/purgetrashitem.action?key=&contentId=

and the right contentId and space key.

A purge can be performed even if the page has not been marked for deletion.

This issue has been replicated and verified by the Confluence support team:
https://support.atlassian.com/browse/CSP-16133

This is a critical security hole and should be fixed ASAP.

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Dave Loeng [Atlassian] added a comment - 25/Feb/08 10:16 PM

Looking into this issue now.

[ Permlink | « Hide ]

Dave Loeng [Atlassian] added a comment - 25/Feb/08 10:41 PM

Thanks for submitting this problem.

We've confirmed that this is a problem, but the user has to have permissions to view the space at least.

Looking into a patch/fix for this issue.

[ Permlink | « Hide ]

Dave Loeng [Atlassian] added a comment - 25/Feb/08 11:55 PM - edited

Patch Instructions for 2.7.x users

Shutdown Confluence
Create the following directories com/atlassian/confluence/pages/actions in your confluence/WEB-INF/classes directory.
Copy the attached PurgeTrashItemAction.class to confluence/WEB-INF/classes/com/atlassian/confluence/pages/actions
Startup Confluence

Patch Change Summary

This patch will cause trash purging to check for space administrator permissions before allowing purging to proceed. All users without such a permission will be presented with a "Not Permitted" screen. Even direct posting to dopurgetrashitem.action is protected.

[ Permlink | « Hide ]

Dave Loeng [Atlassian] added a comment - 25/Feb/08 11:56 PM

The check for the item to be marked as deleted or trashed will be rolled into the main point release (2.7.2) to simplify the patch and patching procedure.

[ Permlink | « Hide ]

Dave Loeng [Atlassian] added a comment - 26/Feb/08 10:22 PM - edited

Instructions for Confluence 2.5.x and 2.6.x users

The patch instructions for 2.5.x and 2.6.x are identical to those listed above. The only difference is that we've included a separate patched class that we specifically tested against 2.5.x and 2.6.x.

You will find this patched class inside the patch-2.5.x-2.6.x.zip (which is attached).

[ Permlink | « Hide ]

Neeraj Jhanji [Atlassian] added a comment - 26/Feb/08 10:24 PM

Is there a possibility to provide a patch for 2.4.3 users?

[ Permlink | « Hide ]

Dave Loeng [Atlassian] added a comment - 04/Mar/08 05:49 PM - edited

Unfortunately, no patch will be issued for 2.4.3.

The patches currently attached do not work on 2.4.x. Please do not attempt to patch your install with them.

[ Permlink | « Hide ]

Dave Loeng [Atlassian] added a comment - 05/Mar/08 09:13 PM

Just tested our existing 2.6.x patch against 2.5.x and it works.

The existing patch has been renamed to indicate compatibility with 2.5. Instructions have also been updated.