[CWD-2950] Crowd leaks the value of the HTTP only 'crowd.token_key' cookie on the crowd/console/500.jsp page

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 2.5.3
Affects Version/s: None
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

cert.fr@cassidian.com reported the following vulnerability:
== Type ==
Information Disclosure

== Product ==
Atlassian Crowd

== Severity ==
Medium

== Description ==
The crowd.token_key cookie, used as a token to authenticate on all Atlassian applications, is marked as HttpOnly.
However, the Crowd 500 error page (/crowd/console/500.jsp) displays this cookie?s value, breaking the HttpOnly behavior.

mentioned in: Wiki Page Failed to load; Wiki Page Failed to load; Wiki Page Failed to load

joe added a comment - 17/Oct/2012 5:21 AM

500.jsp iterates over the session properties before printing them. Add a check and replace crowd.token_key's value with XXXs. The cookie name can be configured: for a proper fix we'll need to check the current name.

joe added a comment - 17/Oct/2012 5:21 AM 500.jsp iterates over the session properties before printing them. Add a check and replace crowd.token_key 's value with XXXs. The cookie name can be configured: for a proper fix we'll need to check the current name.

Assignee:: ArvindA

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 6 Start watching this issue

Created:: 17/Oct/2012 5:04 AM

Updated:: 05/Dec/2019 1:35 AM

Resolved:: 23/Nov/2012 3:37 AM

Estimated:

Not Specified

Remaining:

Not Specified

Logged:

53m

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: joe added a comment - 17/Oct/2012 5:21 AM

Expand comment: joe added a comment - 17/Oct/2012 5:21 AM

People

Dates

Time Tracking