[CONFSERVER-20668] Path traversal vulnerability in various Confluence actions

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 3.3.3
Affects Version/s: 2.7
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

We have identified and fixed a path traversal vulnerability in various Confluence actions. By exploiting a path traversal vulnerability, attackers can retrieve any file on the server that is running Confluence, based on the permissions of the user under which Confluence is running. Path traversal attacks are also called 'directory traversal' or dot-dot-slash (../) attacks.

You can read more about path traversal attacks at Open Web Application Security Project (OWASP) and other places on the web:
http://www.owasp.org/index.php/Path_Traversal

Please refer to the security advisory for details of the vulnerability, risk assessment and mitigation strategies:
http://confluence.atlassian.com/x/7ARODQ

Don Willis added a comment - 31/Jan/2011 5:14 PM

Jeff Kirby added a comment - 31/Jan/2011 5:07 PM

Thank you, gentleman. Don, your URL worked great.

Jeff Kirby added a comment - 31/Jan/2011 5:07 PM Thank you, gentleman. Don, your URL worked great.

Don Willis added a comment - 31/Jan/2011 12:45 PM

Hi Jeff,

It's a system plugin, so it actually won't show up in the plugin manager.
It should show up if you go to <baseurl>/admin/viewplugins.action?pluginKey=com.atlassian.confluence.extra.nullCharRejection.nullCharRejectionPlugin

Don Willis added a comment - 31/Jan/2011 12:45 PM Hi Jeff, It's a system plugin, so it actually won't show up in the plugin manager. It should show up if you go to <baseurl>/admin/viewplugins.action?pluginKey=com.atlassian.confluence.extra.nullCharRejection.nullCharRejectionPlugin

Joe Clark added a comment - 30/Jan/2011 10:55 PM

Hi Jeff,

I'll chase this up with the developer who wrote the plugin and find out. The plugin may hide itself from the administration console in order to prevent a malciious or inept administrator from disabling the plugin.

Joe.

Joe Clark added a comment - 30/Jan/2011 10:55 PM Hi Jeff, I'll chase this up with the developer who wrote the plugin and find out. The plugin may hide itself from the administration console in order to prevent a malciious or inept administrator from disabling the plugin. Joe.

Jeff Kirby added a comment - 28/Jan/2011 6:40 PM

Thank you for identifying this and for making a patch available for Confluence 3.3.1.
Is it normal that the nullCharacterRejectionFilterPlugin doesn't show up in the list of installed plugins once the patch has been applied?

Jeff Kirby added a comment - 28/Jan/2011 6:40 PM Thank you for identifying this and for making a patch available for Confluence 3.3.1. Is it normal that the nullCharacterRejectionFilterPlugin doesn't show up in the list of installed plugins once the patch has been applied?

Assignee:: Don Willis

Reporter:: SarahA

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 25/Aug/2010 1:39 AM

Updated:: 11/Oct/2018 9:03 AM

Resolved:: 21/Sep/2010 2:01 AM

Details

Description

Attachments

Forms

Activity

Collapse comment: Don Willis added a comment - 31/Jan/2011 5:14 PM

Expand comment: Don Willis added a comment - 31/Jan/2011 5:14 PM

Collapse comment: Jeff Kirby added a comment - 31/Jan/2011 5:07 PM

Expand comment: Jeff Kirby added a comment - 31/Jan/2011 5:07 PM

Collapse comment: Don Willis added a comment - 31/Jan/2011 12:45 PM

Expand comment: Don Willis added a comment - 31/Jan/2011 12:45 PM

Collapse comment: Joe Clark added a comment - 30/Jan/2011 10:55 PM

Expand comment: Joe Clark added a comment - 30/Jan/2011 10:55 PM

Collapse comment: Jeff Kirby added a comment - 28/Jan/2011 6:40 PM

Expand comment: Jeff Kirby added a comment - 28/Jan/2011 6:40 PM

People

Dates