Hidden pages' content can be viewed without permission using diffpages.action

XMLWordPrintable

      If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL.
      EG:
      Two spaces A and B
      Page with id 1 is in Space A
      Page with id 2 is in Space B
      User cannot see Space A
      User can see Space B

      The following URL will allow the user to view a diff of the two pages, thus easily deriving the content of the page in the hidden space.

      http://confluence.example.com/pages/diffpages.action?pageId=2&originalId=1

        1. AbstractDiffPagesAction.class-2.7.3
          3 kB
          Chris Kiehl
        2. AbstractDiffPagesAction.class-2.8.2
          3 kB
          Chris Kiehl
        3. AbstractDiffPagesAction.java-2.7.3
          2 kB
          Chris Kiehl
        4. AbstractDiffPagesAction.java-2.8.2
          2 kB
          Chris Kiehl
        5. AbstractDiffPagesAction.class-2.6.2
          3 kB
          Paul Curren
        6. AbstractDiffPagesAction.java-2.6.2
          2 kB
          Paul Curren

            Assignee:
            Don Willis
            Reporter:
            Don Willis
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: