Details
-
Bug
-
Resolution: Fixed
-
Medium
-
5.2.3
-
None
-
Confluence version 5.2.3 (standalone)
Running on Ubuntu Server 12.04.
-
5
-
Description
It is possible for unauthenticated users to retrieve a large amount of information from a Confluence instance, including page titles, attachment filenames, and username, by making calls to the link REST API in the confluence-tinymce-plugin. This is effective even when the anonymous user does not have any permissions in Confluence, and represents a significant information leak.
It is relatively easy to exploit this issue, given that information on a resource can be obtained simply by specifying its numeric identifier in the request, so a brute-force attack could be designed to iterate through all possible identifiers and hence retrieve a lot of detail about the internal structure of a Confluence instance (in terms of spaces and pages), although it does not allow actual content to be retrieved.
The following unauthenticated request (note the absence of a session cookie) retrieves information about a Confluence page, which is located in a space only accessible to administrators. Obviously the attacker could not be expected to know the content ID a priori, but could simply iterate through the numbers. Note that the page title and space key are returned:
GET /rest/tinymce/1/link/placeholder?resourceType=page&resourceId=1507337 HTTP/1.1
Host: xxxx:8090