It is possible to set the daily backup path and (partial) name through the web UI. This could mean that information can be obtained by a rouge admin. This issue addresses that by introducing a flag so concerned administrators can remove this feature. This flag is set to false by default meaning it is not possible to edit the path through the admin ui. The flag admin.ui.allow.daily.backup.custom.location in confluence.cfg.xml can be set to true to enable easy configuring of the path. This issue is rated MODERATE. Please refer to http://confluence.atlassian.com/x/ZILmD for more information on other security related issues and how we rate issues.