Information leak when accessing url directly

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: High
    • 2.0.3
    • Affects Version/s: 2.0
    • Component/s: None
    • Environment:

      Latest Confluence

      Confluence 2.0, Red Hat Linux. MySQL backend.

      1. Create a new space, call it whatever you like.
      2. Copy link to new space's Home and send to someone who shouldn't have permission to view it
      3. When they click the link, it shows that the page wasn't found, but asks if they wanted the page they were just trying to access. It even gives an excerpt from that page. Even if they don't have permission to view it!

      Leaks only a small amount of information, but it allows the user to get access to stuff they've been denied access to. Bad.

        1. security-test1.JPG
          security-test1.JPG
          70 kB

              Assignee:
              Jeremy Higgs
              Reporter:
              Andrew Hurst
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: