[#CONF-9718] DWR debug mode is enabled

Confluence

DWR debug mode is enabled

Created: 15/Oct/07 08:27 PM Updated: 18/Nov/07 09:17 PM

Component/s:

Engine Room / Architecture, Security, Web Interface - JavaScript/AJAX

Affects Version/s:

2.6.0

Fix Version/s:

2.6.1

Time Tracking:

Not Specified

Issue Links:

Duplicate

This issue is duplicated by:

~~CONF-9727~~ Security Issue: Access to wiki pages, although anonymous access is disabled

Participants:	Christopher Owen [Atlassian], Matt Ryall [Atlassian] and Paul Curren [Atlassian]
Since last comment:	1 year, 7 weeks, 3 days ago
Resolution Date:	16/Oct/07 12:19 AM
Labels:

Description

« Hide

This gives a potential attacker lots of information about available AJAX request handlers in Confluence.

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Matt Ryall [Atlassian] added a comment - 15/Oct/07 08:52 PM

Quick review from Chris would be good so he's aware of the problem.

[ Permlink | « Hide ]

Christopher Owen [Atlassian] added a comment - 16/Oct/07 12:19 AM - edited

Yes, needless to say we should not have debug modes enabled by default on shipped products anywhere. Might be useful to hook this mode into Confluence's developer run mode.

[ Permlink | « Hide ]

Paul Curren [Atlassian] added a comment - 18/Nov/07 07:16 PM

If you need to manually fix this problem on your instance you should edit the <confluence install>/confluence/WEB-INF/web.xml and locate the following lines -

<servlet-class>uk.ltd.getahead.dwr.DWRServlet</servlet-class>
    <init-param>
    <param-name>debug</param-name>
    <param-value>true</param-value>
 </init-param>

Change the param-value to false.