Confluence セキュリティ勧告 - 2007-11-19

Confluence のセキュリティの概要とアドバイザリ

このページの内容

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

In this advisory:

Atlassian recommends that you upgrade to Confluence 2.6.1 to fix the vulnerabilities described below.

DWR debug mode enabled

Vulnerability

Debug mode was enabled by default on Direct Web Remoting (DWR). This made it easy for a potential attacker to find information about available AJAX request handlers in Confluence.

修正

This issue has been fixed in Confluence 2.6.1. If you do not wish to upgrade at this time, you can fix the problem by editing your <confluence install>/confluence/WEB-INF/web.xml file. For more information, please see CONF-9718.

XSS vulnerability in exception error page

Vulnerability

The attributes and parameters were not escaped on the Confluence exception error page. This is a potential vulnerability to a cross-site scripting attack.

修正

This issue has been fixed in Confluence 2.6.1. For more information, please see CONF-9704 and CONF-9560.

XSS vulnerability in the URL destination for the print icon

Vulnerability

The print icon on the HTTP 404 error page uses the path of the requested URL, which potentially contains malicious JavaScript. The 404 page did not correctly escape it. This is a potential vulnerability to a cross-site scripting attack.

修正

This issue has been fixed in Confluence 2.6.1. A patch is supplied for customers with Confluence version 2.6 who do not wish to upgrade at this time. For more information, please see CONF-9456.

XSS vulnerability in wiki markup for images

Vulnerability

When using image URLs in wiki markup, quotes were not correctly escaped. This is a potential vulnerability to a cross-site scripting attack.

修正

This issue has been fixed in Confluence 2.6.1. For customers with Confluence 2.6 who do not with to upgrade at this time, the new atlassian-renderer JAR should resolve this issue. For more information, please see CONF-9209.

最終更新日 2007 年 11 月 19 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.