Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Disclosure of information

Kishore Patel
Kishore Patel November 27, 2012

Over the past few days I have received a number of emails in relation to a password reset from our JIRA installation. Initially the emails where in relation to a password reset for the admin account but then they were in relation to my own account which was worrying. We have noticed that my username has then been used to perform a brute force attack on various other web applications that we host.

I have discovered that the hacker requested the following URL: /jira/secure/IssueNavigator!executeAdvanced.jspa which results in an issue navigator screen with no information however when the manage option is selected it shows a list of user created filters and this shows the Owner's name and username.

Can this disclosure of information be prevented?

Are there other pages which users can access without being logged in and could potentially disclose information?

Answer
Watch
Like Be the first to like this
177 views

2 answers

0 votes
Norman Abramovitz
Norman Abramovitz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 28, 2012

Here is an url what Atlassian does when security vulnerbilities are found.

https://confluence.atlassian.com/display/JIRA/Security+Advisories

Reply
0 votes
Norman Abramovitz
Norman Abramovitz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 28, 2012

If you have not done so, please contact support. There are security related tools that can access to pages, but they are only as good as the person designing the test cases.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events