Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-13874

Confluence displays ALL attachments when the following URL is viewed

    XMLWordPrintable

    Details

      Description

      i removed the space key from the URL for the normal space attachment viewing, and it displays all the attachments for all spaces in the install of Confluence, Irrispecitve of space and page level permission restrictions.

      For Example:
      http://confluence.atlassian.com/spaces/listattachmentsforspace.action

      while this does not allow people to download the files, it does give people the name of the files, the location and the page they are attached to.

      Could this be patched ASAP!

      We will be blocking the URL through our Apache install for the moment until this is rectified.

      Thanks.

        Attachments

        1. 2.8.2.zip
          3 kB
        2. 2.9.2.zip
          3 kB

          Activity

            People

            Assignee:
            mjensen m@
            Reporter:
            28fddcf71b92 Matthew Goonan
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: