Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
4.3
-
Description
NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report.
Summary of The Bug
By browsing to the following URL path user would be able to download any files under <Conf_Install_Dir>/confluence/WEB-INF/...
<Server Base URL>/s/1519/3/1.0/_/WEB-INF/...
The above URL will be accessible by any users including anonymous even to an instance that does not allow anonymous access
Notes
This issue is not reproducible in IE9 (IE8 leads to the same issue)
Attachments
Issue Links
- is related to
-
CONFSERVER-27693 Default application configuration files are available for download
- Closed
- relates to
-
CONFCLOUD-26888 Arbitrary resource file download in urlrewrite.xml
- Closed