Confluence コミュニティ セキュリティ勧告 2006-01-19

Confluence のセキュリティの概要とアドバイザリ

このページの内容

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

This security advisory is not endorsed by Atlassian - this is a public service advisory from a member of the confluence community. Please remember to backup any modified files, and use these instructions at your own risk. While this information is based on Confluence v2.1.2, it may have uses with older affected versions of Confluence.

The official security advisory is located at Confluence Security Advisory 2006-01-20

 

問題

There is a possibility of XSS exploitation of the Full Name user profile field when displayed.

ソリューション

The problem was unescaped outputting of the fullname - wrapping the output in $generalUtil.htmlEncode() resolve it. The vast majority of the problem can be resolved by changing /confluence/template/includes/macros.vm in the distribution on the following lines:

  • 180
  • 186
  • 200
  • 340
  • 893

I have attached the modified macros.vm file here which you can copy into your distribution.

Scope

There are other places which are still affected which Atlassian have been made aware of, a complete resolution should be provided by Atlassian in their own offical advisory.

I hope this helps some of you!

最終更新日 2006 年 1 月 20 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.