Confluence Security Advisory 2007-11-19
In this advisory:
Atlassian recommends that you upgrade to Confluence 2.6.1 to fix the vulnerabilities described below.
DWR debug mode enabled
Vulnerability
Debug mode was enabled by default on Direct Web Remoting (DWR). This made it easy for a potential attacker to find information about available AJAX request handlers in Confluence.
Fix
This issue has been fixed in Confluence 2.6.1. If you do not wish to upgrade at this time, you can fix the problem by editing your <confluence install>/confluence/WEB-INF/web.xml file. For more information, please see CONF-9718.
XSS vulnerability in exception error page
Vulnerability
The attributes and parameters were not escaped on the Confluence exception error page. This is a potential vulnerability to a cross-site scripting attack.
Fix
This issue has been fixed in Confluence 2.6.1. For more information, please see CONF-9704 and CONF-9560.
XSS vulnerability in the URL destination for the print icon
Vulnerability
The print icon on the HTTP 404 error page uses the path of the requested URL, which potentially contains malicious JavaScript. The 404 page did not correctly escape it. This is a potential vulnerability to a cross-site scripting attack.
Fix
This issue has been fixed in Confluence 2.6.1. A patch is supplied for customers with Confluence version 2.6 who do not wish to upgrade at this time. For more information, please see CONF-9456.
XSS vulnerability in wiki markup for images
Vulnerability
When using image URLs in wiki markup, quotes were not correctly escaped. This is a potential vulnerability to a cross-site scripting attack.
Fix
This issue has been fixed in Confluence 2.6.1. For customers with Confluence 2.6 who do not with to upgrade at this time, the new atlassian-renderer JAR should resolve this issue. For more information, please see CONF-9209.