Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,557,473
Community Members
 
Community Events
184
Community Groups

Login Vulnerability in Confluence...?

Ganesh
Ganesh Apr 26, 2020

Hi,

Good Day..!

This is Kevin, Actually i am here to share my login issues with confluence.

We have a LDAP system for the users management and when ever the user wants to login to the confluence it seems it was not encrypted, It takes the plane text to login. So could you please any one help me out from this and is there any chances to encrypt the user login and password in the back end..? or else any scripts..? Please help me out from this.

Thanks,

Kevin.

Comment
Watch
Like Be the first to like this
487 views

1 comment

Davin Studer
Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
Apr 27, 2020

When you say not encrypted are you saying the web page is not encrypted or the password credentials sent to your LDAP server are not sent over LDAPS (Secure LDAP)?

Like
Ganesh
Ganesh Apr 27, 2020

Hi Davin, 

Thanks for you reply.

When the user enter the user name and password there will not encrypted and it takes the same data as user entered.

Thanks,

Kevin.

Like
Davin Studer
Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
Apr 27, 2020

Again that doesn't help. How do you know it is not being encrypted? Are you doing packet captures on the back end to see if it is encrypted? Is the page not loading via HTTPS, is you server not connecting to LDAP over a secure channel, or are you seeing plain text in the password field when you type in the password? Please provide details about how you know it is not encrypted.

Like
Ganesh
Ganesh Apr 27, 2020

Actually we got the encrypted info from the security team in my organization. They find this bug in the version 6.15.9 and they clearly mentioned the data which the user entered was not encrypted. 

Like
Davin Studer
Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
Apr 27, 2020

Well, first I would not say it is a bug. There are certain prerequisites that need to be in place in order to enable encryption. You can't just turn it on because in a lot (maybe even most) situations it would fail.

With regards to accessing Confluence over SSL you need to have an SSL cert from a Certificate Authority. You may have your own trusted cert authority in-house and might be able to issue a cert from Confluence from that. You wouldn't want to just create a cert say from OpenSSL because it probably would not be trusted by any of your web browsers unless you imported the certificate into all your machines cert store. The other option would be to get a cert from one fo the many  public CAs. Once you have that you would set up either a reverse proxy or edit the server.xml file for Confluence to enable SSL. That covers the encrypting web traffic part.

However, if you are doing LDAP for authentication then the Confluence server will talk to LDAP to verify that the credentials entered are correct. That traffic by default is not encrypted either as your LDAP server needs to support it. So, you would need to find out if it does support LDAPS connection. Then you would edir the user directory in Confluence for your LDAP server and turn on secure communication. This may or may not work right away too because if you use and in-house trusted CA you will need to import your CA certs into the java cert store located in Confluence_Install/jre/lib/security. The file is called cacerts and the password is the default used for Java installs ... "changeit".

Like
Ganesh
Ganesh Apr 28, 2020

Thank you Davin for your suggestion. The Vulnerability in the application is conformed by the support team, they also find the same vulnerability and the developer team is currently work on that.

Like
Reply

Comment

Log in or Sign up to comment
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

See all events