Hidden pages' content can be viewed without permission using diffpages.action

XMLWordPrintable

      If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL.
      EG:
      Two spaces A and B
      Page with id 1 is in Space A
      Page with id 2 is in Space B
      User cannot see Space A
      User can see Space B

      The following URL will allow the user to view a diff of the two pages, thus easily deriving the content of the page in the hidden space.

      http://confluence.example.com/pages/diffpages.action?pageId=2&originalId=1

        1. AbstractDiffPagesAction.class-2.6.2
          3 kB
        2. AbstractDiffPagesAction.class-2.7.3
          3 kB
        3. AbstractDiffPagesAction.class-2.8.2
          3 kB
        4. AbstractDiffPagesAction.java-2.6.2
          2 kB
        5. AbstractDiffPagesAction.java-2.7.3
          2 kB
        6. AbstractDiffPagesAction.java-2.8.2
          2 kB

              Assignee:
              Don Willis
              Reporter:
              Don Willis
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: