It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Confluence Security issue raised after VAPT

First Issue: 

Finding Description:
During our assessment it was identified that the web application contains HTML forms field
with an input of type 'password' where 'autocomplete' is not set to 'off'. While this does not
represent a risk to this web server per se, it does mean that users who use the affected
forms may have their credentials saved in their browsers, which could in turn lead to a loss
of confidentiality, if any of them use a shared host or their machine is compromised at
some point. The issue was identified under the following URLs:

Affected URLs
https://diwanspace.dubai.gov.ae/login.action

Ease of Identification:
The vulnerability was identified with the use of a common web browser.
Ease of Exploitation:
The vulnerability is not directly exploitable per se, but rather in correlation with other factors
(e.g. by gaining access to the end-user workstation).
Potential Impact: Low
Dumping all data from a browser can be fairly easy, as attackers can use a number of
readily available automated tools.
Exposure Level: Very Low
The exposure level is considered Very low.

Corrective Actions: Add the attribute 'autocomplete=off' to password prevent browsers from caching credentials.

 

Second Issue:

 

Description:
During our assessment, we identified the following outdated JavaScript libraries being in
use, which are susceptible to a number of vulnerabilities. Specifically, the libraries identified
are the following:

Affected URL Version

https://diwanspace.dubai.gov.ae/s/003dea82ef0248a15e17abe22ce
40977CDN/fr_FR/7901/9eed016aaa593220cd98620fec88bcbd9fd55893/
18384c6dc0a22ebf7c4bdc9ce515987d/_/download/contextbatch/js/
_super/batch.js?locale=fr-FR – JQuery 1.7.2

Note: The aforementioned JavaScript libraries are outdated hence considered vulnerable;
however, it is uncertain whether the exposed/used functionalities of the libraries are
actually being used. As a result, the actual vulnerabilities cannot be verified.
Ease

Ease of Identification:
The identification is fairly easy, by monitoring and identifying the vulnerable versions of the
libraries. The ease of identification is considered very high.
Ease of Exploitation:
The exploitation of the vulnerabilities depends on specific functionality within the libraries
being used in the site/application code.

Potential Impact:
An attacker could potentially exploit various vulnerabilities in the affected libraries such as
Cross Site Scripting. These vulnerabilities do not target the server but rather its users. The
impacts of such attack can range from the disclosure of the user’s sensitive information to
execution of arbitrary code on the target user’s system.
Exposure Level:
The exposure level is considered very low.

*Corrective Actions: *Consider updating the affected libraries to the latest version.

1 answer

0 votes

You would need to pull apart Confluence and rebuild it with a set of unsupported code changes to implement this.

Two big impacts here are

  • A lot of software uses password autocomplete as part of "passport safe" functions.  You absolutely do not want to remove this because people who use passport safes are more secure than people who do not.  I have complex and unique passwords in my safe, which is more secure than re-using or sharing passwords or writing them down somewhere obvious. 
  • You will be making upgrading and patching harder for yourself, but more importantly, you will sacrifice vendor support - the instant you do this, you are unsupported, which is a very large security risk (Atlassian will still try to help, but they are under no obligation if you've put unsupported changes into their software)

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

What project did you transition or start on Confluence with the shift to remote work?

It’s been great to hear from fellow users over the last few weeks about the best tips and fun moments you’ve had working on Confluence since the transition to working remote. I’d love to keep the c...

67 views 3 5
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you