Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Login Vulnerability in Confluence...?

Hi,

Good Day..!

This is Kevin, Actually i am here to share my login issues with confluence.

We have a LDAP system for the users management and when ever the user wants to login to the confluence it seems it was not encrypted, It takes the plane text to login. So could you please any one help me out from this and is there any chances to encrypt the user login and password in the back end..? or else any scripts..? Please help me out from this.

Thanks,

Kevin.

1 comment

When you say not encrypted are you saying the web page is not encrypted or the password credentials sent to your LDAP server are not sent over LDAPS (Secure LDAP)?

Hi Davin, 

Thanks for you reply.

When the user enter the user name and password there will not encrypted and it takes the same data as user entered.

Thanks,

Kevin.

Again that doesn't help. How do you know it is not being encrypted? Are you doing packet captures on the back end to see if it is encrypted? Is the page not loading via HTTPS, is you server not connecting to LDAP over a secure channel, or are you seeing plain text in the password field when you type in the password? Please provide details about how you know it is not encrypted.

Actually we got the encrypted info from the security team in my organization. They find this bug in the version 6.15.9 and they clearly mentioned the data which the user entered was not encrypted. 

Well, first I would not say it is a bug. There are certain prerequisites that need to be in place in order to enable encryption. You can't just turn it on because in a lot (maybe even most) situations it would fail.

With regards to accessing Confluence over SSL you need to have an SSL cert from a Certificate Authority. You may have your own trusted cert authority in-house and might be able to issue a cert from Confluence from that. You wouldn't want to just create a cert say from OpenSSL because it probably would not be trusted by any of your web browsers unless you imported the certificate into all your machines cert store. The other option would be to get a cert from one fo the many  public CAs. Once you have that you would set up either a reverse proxy or edit the server.xml file for Confluence to enable SSL. That covers the encrypting web traffic part.

However, if you are doing LDAP for authentication then the Confluence server will talk to LDAP to verify that the credentials entered are correct. That traffic by default is not encrypted either as your LDAP server needs to support it. So, you would need to find out if it does support LDAPS connection. Then you would edir the user directory in Confluence for your LDAP server and turn on secure communication. This may or may not work right away too because if you use and in-house trusted CA you will need to import your CA certs into the java cert store located in Confluence_Install/jre/lib/security. The file is called cacerts and the password is the default used for Java installs ... "changeit".

Thank you Davin for your suggestion. The Vulnerability in the application is conformed by the support team, they also find the same vulnerability and the developer team is currently work on that.

Comment

Log in or Sign up to comment
TAGS
Community showcase
Published in Confluence

You’re invited: Confluence for MS Teams Live demo + Q&A

This past summer, we joined forces with Microsoft Teams as a part of our mission to help your team collaborate better, starting with more effective meetings. We released a new and improved Confluence...

67 views 0 1
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you