Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
8.5.6
-
1
-
Severity 3 - Minor
-
Description
Issue Summary
When we remove the option to authenticate with username and password from the login form we could still use basic authentication to login.
This is reproducible on Data Center: Yes
Steps to Reproduce
Step-1. Remove the option to authenticate with username and password from the login form as per screenshot.
Step-2. Using the below command, we can still get the JSESSIONID and thus use to pull the content.
curl -i -d 'os_username=<username>&os_password=<password>&login=Log+in&os_destination=%2F' <base-url>/dologin.action
curl -b 'JSESSIONID=<JSESSIONID>' <base-url>/display/<space-key>/<page-title>
Below is the sample output:
curl -i -d 'os_username=<username>&os_password=<password>&login=Log+in&os_destination=%2F' https://linux-65091.prod.atl-cd.net/confluence/dologin.action HTTP/2 302 cache-control: no-store content-type: text/html;charset=UTF-8 date: Tue, 27 Feb 2024 12:54:10 GMT expires: Thu, 01 Jan 1970 00:00:00 GMT location: /confluence/ set-cookie: _b0691=96ba2532ab5fb23f; Path=/ set-cookie: JSESSIONID=D01146B96319894F04C3B535FA9B8782; Path=/confluence; Secure; HttpOnly strict-transport-security: max-age=31536000 x-confluence-cluster-node: da0e1b24 x-confluence-cluster-node-name: confluence1 x-confluence-request-time: 1709038450862 x-seraph-loginreason: OK content-length: 0
Expected Results
Since above is considered a form of basic authentication, it should say.
{"message":"Login form has been disabled on this instance."}
Actual Results
We get a login response with JSESSIONID.
Workaround
Updating the SSO for Atlassian Data Center plugin to v4.2.28 or later.
Attachments
Issue Links
- follows
-
VULN-1222600 Loading...