Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 5.2.6, 6.0-OD-06
Affects Version/s: 5.2.4
Component/s: Project Administration - Permissions
Labels:

Introduced in Version:
5.02
CVSS Score:
4.3
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Summary of The Bug

By browsing to the following URL path user would be able to download any files under <JIRA_Install_Dir>/atlassian-jira/WEB-INF/...

<Server Base URL>/s/1519/3/1.0/_/WEB-INF/...

The above URL will be accessible by any users including anonymous even to an instance that does not allow anonymous access

Notes

This issue is not reproducible in IE9 (IE8 leads to the same issue)

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

a-regular-404.png
10 kB
18/Jan/2013 1:47 PM
web-inf-404.png
12 kB
18/Jan/2013 1:47 PM

Issue Links

is cloned from

CONFSERVER-27693 Default application configuration files are available for download

Closed

is related to

FE-4449 Default application files available for download via the application server.

Closed

Testing discovered

JRASERVER-31373 NoOpServlet should serve the standard 404 page

Closed

incorporates: JRADEV-18148 Loading...

links to

webresources serves up arbitrary files from the classpath

relates to: PLUGWEB-24 Loading...

was cloned as: BDEV-2267 Loading...

(1 relates to, 1 was cloned as)

Activity

People

Assignee:: Eric Dalgliesh

Reporter:: Septa Cahyadiputra (Inactive)

Votes:: 1 Vote for this issue

Watchers:: 18 Start watching this issue

Dates

Created:: 08/Jan/2013 12:24 PM

Updated:: 28/Mar/2019 12:09 AM

Resolved:: 07/Feb/2013 1:59 AM