Login Vulnerability in Confluence...?

Ganesh April 26, 2020

Hi,

Good Day..!

This is Kevin, Actually i am here to share my login issues with confluence.

We have a LDAP system for the users management and when ever the user wants to login to the confluence it seems it was not encrypted, It takes the plane text to login. So could you please any one help me out from this and is there any chances to encrypt the user login and password in the back end..? or else any scripts..? Please help me out from this.

Thanks,

Kevin.

1 comment

Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 27, 2020

When you say not encrypted are you saying the web page is not encrypted or the password credentials sent to your LDAP server are not sent over LDAPS (Secure LDAP)?

Ganesh April 27, 2020

Hi Davin, 

Thanks for you reply.

When the user enter the user name and password there will not encrypted and it takes the same data as user entered.

Thanks,

Kevin.

Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 27, 2020

Again that doesn't help. How do you know it is not being encrypted? Are you doing packet captures on the back end to see if it is encrypted? Is the page not loading via HTTPS, is you server not connecting to LDAP over a secure channel, or are you seeing plain text in the password field when you type in the password? Please provide details about how you know it is not encrypted.

Ganesh April 27, 2020

Actually we got the encrypted info from the security team in my organization. They find this bug in the version 6.15.9 and they clearly mentioned the data which the user entered was not encrypted. 

Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 27, 2020

Well, first I would not say it is a bug. There are certain prerequisites that need to be in place in order to enable encryption. You can't just turn it on because in a lot (maybe even most) situations it would fail.

With regards to accessing Confluence over SSL you need to have an SSL cert from a Certificate Authority. You may have your own trusted cert authority in-house and might be able to issue a cert from Confluence from that. You wouldn't want to just create a cert say from OpenSSL because it probably would not be trusted by any of your web browsers unless you imported the certificate into all your machines cert store. The other option would be to get a cert from one fo the many  public CAs. Once you have that you would set up either a reverse proxy or edit the server.xml file for Confluence to enable SSL. That covers the encrypting web traffic part.

However, if you are doing LDAP for authentication then the Confluence server will talk to LDAP to verify that the credentials entered are correct. That traffic by default is not encrypted either as your LDAP server needs to support it. So, you would need to find out if it does support LDAPS connection. Then you would edir the user directory in Confluence for your LDAP server and turn on secure communication. This may or may not work right away too because if you use and in-house trusted CA you will need to import your CA certs into the java cert store located in Confluence_Install/jre/lib/security. The file is called cacerts and the password is the default used for Java installs ... "changeit".

Ganesh April 28, 2020

Thank you Davin for your suggestion. The Vulnerability in the application is conformed by the support team, they also find the same vulnerability and the developer team is currently work on that.

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events