This server will be upgraded at 3pm Sydney time on December 3rd (December 2nd, 8pm PST) and will be down for up to 30 minutes.
This documentation relates to the latest version of Confluence.
If you are using an earlier version, please go to the documentation home page and select the relevant version.

Confluence Security Advisory 2005-02-09

Added by Charles Miller, last edited by Jonathan Nolen on Feb 08, 2005  (view change)
All Versions
Click for all versions
Confluence 2.10 Documentation

Index

A flaw has been found in Confluence by which attackers can bypass Confluence security and change content on the site. Atlassian STRONGLY recommends that all Confluence customers apply the fix described below immediately, or upgrade to Confluence 1.3.3

Vulnerability

By crafting custom URLs, any person with the ability to browse Confluence can modify content on the site, bypassing security settings. This vulnerability does not allow users to view content they would not normally be able to view, or escalate their privileges in other ways.

This flaw affects all versions of Confluence prior to 1.3.3, including the 1.4-DR development releases.

Fix

This vulnerability is fixed in Confluence 1.3.3 and later. Customers who do not wish to migrate to 1.3.3 can fix this bug using the procedure below:

  1. Edit the file confluence/WEB-INF/classes/xwork.xml
  2. Find the following section near the top of the file (around line 34): 
    <interceptor-stack name="defaultStack">
    <interceptor-ref name="profiling">
        <param name="location">Before defaultStack</param>
    </interceptor-ref>
    <interceptor-ref name="transaction"/>
    <interceptor-ref name="authentication"/>
    <interceptor-ref name="requestParameterHack"/>
    <interceptor-ref name="eventnotifier"/>
    <interceptor-ref name="autowire"/>
    <interceptor-ref name="params"/>
    <interceptor-ref name="servlet"/>
    <interceptor-ref name="pageAware"/>
    <interceptor-ref name="permissions"/>
    <interceptor-ref name="profiling">
        <param name="location">After defaultStack</param>
    </interceptor-ref>
</interceptor-stack>
  3. Locate the "autowire" and "params" entries: 
                  <interceptor-ref name="eventnotifier"/>
-->           <interceptor-ref name="autowire"/>      <--
-->           <interceptor-ref name="params"/>        <--
              <interceptor-ref name="servlet"/>
  4. Swap the two lines around. The whole stack should now look like this: 
    <interceptor-stack name="defaultStack">
    <interceptor-ref name="profiling">
        <param name="location">Before defaultStack</param>
    </interceptor-ref>
    <interceptor-ref name="transaction"/>
    <interceptor-ref name="authentication"/>
    <interceptor-ref name="requestParameterHack"/>
    <interceptor-ref name="eventnotifier"/>
    <interceptor-ref name="params"/>
    <interceptor-ref name="autowire"/>
    <interceptor-ref name="servlet"/>
    <interceptor-ref name="pageAware"/>
    <interceptor-ref name="permissions"/>
    <interceptor-ref name="profiling">
        <param name="location">After defaultStack</param>
    </interceptor-ref>
</interceptor-stack>
  5. Restart Confluence.

Labels

security-advisory security-advisory Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Comments (1)

 

  1. Feb 09, 2005

    David Valentine says:

    damn, where are those named arguments, like in python

    damn, where are those named arguments, like in python

Add Comment