[#CONF-11524] XSS vulnerability in viewinfo.action

Confluence

XSS vulnerability in viewinfo.action

Created: 21/Apr/08 11:28 AM Updated: 05/Jun/08 07:34 PM

Component/s:

Security

Affects Version/s:

2.8

Fix Version/s:

2.8.1

Time Tracking:

Not Specified

File Attachments:

PageInfoAction.class (9 kB)
2.

viewinfo.vm (24 kB)

Issue Links:

Cause

This issue causes:

~~CONF-12056~~ Hot Referrers section in page info has broken links

Participants:	Anatoli Kazatchkov [Atlassian], Chris Broadfoot [Atlassian] and Don Willis [Atlassian]
Since last comment:	29 weeks, 4 days ago
Resolution Date:	01/May/08 09:16 PM
Labels:

Description

« Hide

Referrer URLs are not encoded in viewinfo.vm

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Anatoli Kazatchkov [Atlassian] added a comment - 04/May/08 08:38 PM

Patch Instructions for 2.7.x and 2.8.0 users

Shutdown Confluence
Create the following directories com/atlassian/confluence/pages/actions in your confluence/WEB-INF/classes directory.
Copy the attached PageInfoAction.class to confluence/WEB-INF/classes/com/atlassian/confluence/pages/actions
Copy the attached viewinfo.vm to confluence/pages
Startup Confluence

[ Permlink | « Hide ]

Anatoli Kazatchkov [Atlassian] added a comment - 08/May/08 11:32 PM

It is possible to remove a referrer under Administration Console - > Manage Referrers by purging referrers with a particular prefix.
It is also possible not to show referrers in page info by disabling it under Administration Console - > Manage Referrers