Details
-
Bug
-
Resolution: Fixed
-
Highest
-
4.2.1
-
None
-
Exists in online demonstration environment.
-
4.3
-
Description
It is possible to anonymously enumerate all usernames via the script at /rest/prototype/1/search/user.json?max-results=10&query=XX. The 'query' GET parameter should contain at least two charakters. It is possible to enumerate all usernames by performing a search from 'query' value 'aa' to 'zz'.
When the following GET request is made:
GET /rest/prototype/1/search/user.json?max-results=10&query=si HTTP/1.1 Host: confluence.atlassian.com
The following answer is given:
HTTP/1.1 200 OK
Date: Tue, 24 Apr 2012 13:32:11 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json
Keep-Alive: timeout=3, max=20
Connection: Keep-Alive
Content-Length: 11707
{"totalSize":846,"result":[{"id":"254738536","type":"user","title":"Harshil Singhal","wikiLink":"[~hs39867]","createdDate":{"friendly":"Aug 22, 2011","date":"2011-08-22T21:52:45-0500"},"creator":{"links":[{"href":"https://confluence.atlassian.com/rest/prototype/1/user/system/anonymous","rel":"self"}],"avatarUrl":"/s/en_GB/3277/16/_/images/icons/profilepics/anonymous.png","anonymous":true,"displayName":"Anonymous"},"lastModifier":{"links":[{"href":"https://confluence.atlassian.com/rest/prototype/1/user/system/anonymous","rel":"self"}],"avatarUrl":"/s/en_GB/3277/16/_/images/icons/profilepics/anonymous.png","anonymous":true,"displayName":"Anonymous"},"username":"hs39867","thumbnailLink":
[..]
Attachments
Issue Links
- relates to
-
-
- Closed
-
