Closed
Bug 589119
Opened 14 years ago
Closed 8 years ago
It is still possible to access secured resources from Jira after logging out of Jira 4.1.2.
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: davidpaterson, Unassigned)
Details
Attachments
(1 file)
100.03 KB,
image/png
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 Firefox allows you to view restrictied content from a Jira system after explicit logout via the brower. Reproducible: Always Steps to Reproduce: 1. Login to Jira. 2. Select an Issue. 3. Display the XML for that issue (copy url) 4. Logout of Jira. 5. Don't close browser, Enter URL (in new tab or existing). 6. Firefox will display the xml. Note: After a no determinate length of time Firefox will return reubbish (technical definiation = string that looks like random data rendered as unicode, could be interal buffer contents, can't be sure). Actual Results: Either we get the issue (as xml) or more of a concern appears (not sure) to return the contents of a buffer. Expected Results: Either we get the issue (as xml) or more of a concern appears (not sure) to return the contents of a buffer. Jira 4.1.2
Comment 1•14 years ago
|
||
What makes you think the issue is in Firefox and not in Jira ?
Reporter | ||
Comment 2•14 years ago
|
||
Hi Ludovic, You're absolutly right, i can't be sure, so this has been raised to both Atlassian and yourselves. So, as a professional tester I did'nt just try Firefox i also tried IE's 7 & 8 (both of which do not produce this problem so its either a Jira (Firefox) specific bug. Or a something worse (It might not be so but the enclosed screen shot is little worrying. E.g. Where are the random chars comming from? are they a malformed response from Jira or from Firefox, really dont know!). You have every right to be sceptical, I would be, bit i think it's worth raising anyway, and like I said its with Atlasian as well. Thanks for the response. Have a good weekend. Regards Dave Paterson P.S. If I get some time free next week will put fiddler on the system and look at the response, ok?
Reporter | ||
Comment 3•14 years ago
|
||
Comment 4•14 years ago
|
||
This ain't an attack vector as per se. Marking non s-s for now.
Group: core-security
Comment 5•8 years ago
|
||
This is not at all an issue with Firefox. I tested it using my jira account. I didn't had any such issue and nicely redirected to login page. Probably, This occurred due to misconfiguration in your Jira or something like Proxy,WAF in your network.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•