Confluence Security Advisory 2008-03-06
In this advisory:
Users with View-Only Permission can Delete (Purge) Pages
Severity
Atlassian rates this vulnerability as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.
More explanation of the ranking we chose:
- You might rank this vulnerability as critical, because in most installations the vulnerability will allow anonymous users to delete information.
- We have chosen a ranking of high, because the vulnerability does not allow privilege escalation i.e. it doesn't allow users to gain administration privileges.
Risk Assessment
We have identified and fixed a security flaw which allowed users who have 'View' permission (or higher) on a space to purge (delete) any page in that space.
The following Confluence versions are vulnerable: All versions from 1.3 to 2.7.1 inclusive.
To fix the vulnerabilities described below, Atlassian recommends that you take one of the following steps:
- Upgrade to Confluence 2.7.2, or
- Download and install the patch for Confluence 2.6.x or Confluence 2.7.x from our JIRA site – see issue CONF-10807.
Risk Mitigation
If you judge it necessary, you can disable public access (e.g. anonymous access and public signup) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups only.
If it is not immediately feasible to upgrade to Confluence 2.7.2 or apply a patch, we recommend an alternative strategy:
- As a temporary measure, you can block the URL which allows someone to purge (delete) a page. Please ask your website administrator to block the URL described below.
- The impact is that Space Administrators will not be able to purge individual pages or news items. However, Space Administrators can still use the 'Purge All' link to clear the entire contents of Trash.
Vulnerability
Description:
A user can use the following Confluence action to permanently delete (purge) any Confluence page, provided that the user has 'View' permission (or higher) in the space to which the page belongs:
http://confluence-location/pages/purgetrashitem.action?key=XXX&contentId=XXX
The above action is invoked when a space administrator clicks the 'Purge' link on the space's 'Trash' page next to a wiki page which has already been deleted.
The action can also be invoked by simply entering the URL into the browser address bar. In this way, it is possible for a user with 'View' permission (or higher) to remove a page via the 'Purge' action, even if the page has not been deleted.
Fix
These issues have been fixed in Confluence 2.7.2 (see the release notes), which you can download from the download centre.
A patch is available for Confluence 2.6.x, Confluence 2.7.0 and Confluence 2.7.1. For more information, please see CONF-10807.
Our thanks to Neeraj Jhanji, who reported this issue to Atlassian. We fully support the reporting of vulnerabilities and we appreciate his working with us towards identifying and solving the problem.