Confluence セキュリティ勧告 - 2008-03-06

Confluence のセキュリティの概要とアドバイザリ

このページの内容

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

In this advisory:

Users with View-Only Permission can Delete (Purge) Pages

深刻度

Atlassian rates this vulnerability as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.

More explanation of the ranking we chose:

  • You might rank this vulnerability as critical, because in most installations the vulnerability will allow anonymous users to delete information.
  • We have chosen a ranking of high, because the vulnerability does not allow privilege escalation i.e. it doesn't allow users to gain administration privileges.

Risk Assessment

We have identified and fixed a security flaw which allowed users who have 'View' permission (or higher) on a space to purge (delete) any page in that space.

The following Confluence versions are vulnerable: All versions from 1.3 to 2.7.1 inclusive.

以下で説明する脆弱性を修正するには、以下のいずれかのステップを実行することをお勧めします。

  • Confluence 2.7.2 にアップグレードします。
  • Download and install the patch for Confluence 2.6.x or Confluence 2.7.x from our JIRA site – see issue CONF-10807.

Risk Mitigation

If you judge it necessary, you can disable public access (e.g. anonymous access and public signup) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups only.

If it is not immediately feasible to upgrade to Confluence 2.7.2 or apply a patch, we recommend an alternative strategy:

  • As a temporary measure, you can block the URL which allows someone to purge (delete) a page. Please ask your website administrator to block the URL described below.
  • The impact is that Space Administrators will not be able to purge individual pages or news items. However, Space Administrators can still use the 'Purge All' link to clear the entire contents of Trash.

Vulnerability

Description:
A user can use the following Confluence action to permanently delete (purge) any Confluence page, provided that the user has 'View' permission (or higher) in the space to which the page belongs:

http://confluence-location/pages/purgetrashitem.action?key=XXX&contentId=XXX

The above action is invoked when a space administrator clicks the 'Purge' link on the space's 'Trash' page next to a wiki page which has already been deleted.

The action can also be invoked by simply entering the URL into the browser address bar. In this way, it is possible for a user with 'View' permission (or higher) to remove a page via the 'Purge' action, even if the page has not been deleted.

修正

これらの問題は Confluence 2.7.2 で修正されていますダウンロード センターからダウンロードできる「リリース ノート」をご参照ください。

A patch is available for Confluence 2.6.x, Confluence 2.7.0 and Confluence 2.7.1. For more information, please see CONF-10807.

Our thanks to Neeraj Jhanji, who reported this issue to Atlassian. We fully support the reporting of vulnerabilities and we appreciate his working with us towards identifying and solving the problem.

最終更新日 2013 年 9 月 13 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.