Documentation for Confluence 2.5.4 - 2.5.8.
Documentation for [Confluence Cloud] and the latest Confluence Server is available too.

攻撃者が悪意のある HTML コードを Confluence に注入できる欠陥が Confluence で見つかりました。アトラシアンでは、すべての Confluence のお客様が下記の修正をすぐに適用するか、Confluence 2.0.2 にアップグレードすることを強くお勧めします。

Vulnerability

By entering HTML code into the Confluence search input fields, attackers can cause arbitrary scripting code to be executed by the user's browser in the security context of the Confluence instance.

This flaw affects all versions of Confluence between 1.4-DR releases and 2.0.1.

(Atlassian was not informed of the problem before it was published by third-party security researchers. You can read the third-party security advisory here: http://secunia.com/advisories/17833/. The vulnerability was originally reported here.)

修正

この脆弱性は Confluence 2.0.2 以降で修正されています。2.0.2 への移行を希望しないお客様は、以下の手順を使用してこのバグを修正できます。

  1. confluence/decorators/components/searchresults.vmd を編集します。
  2. 次の参照 (行 48 の周辺) を置換します。 
    $action.getText("search.result", [$start, $end, $total, $queryString])

    with 
    $action.getText("search.result", [$start, $end, $total, $generalUtil.escapeXml($queryString)]).


  3. Edit the confluence/search/searchsite-results.vm.
  4. 次の参照 (行 11 の周辺) を置換します。 
    Searched for <b>$action.searchQuery.queryString</b>

    with 
    Searched for <b>$generalUtil.escapeXml($action.searchQuery.queryString)</b>


  5. Confluence を再起動します。

Alternatively, you can download the patched source files from CONF-4825. If you are patching a 2.0.x installation, then use the files with the .2.0 suffix. If you are patching a 1.4.x installation, then use the files with the .1.4 suffix.





Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.