Closed Bug 589119 Opened 14 years ago Closed 8 years ago

It is still possible to access secured resources from Jira after logging out of Jira 4.1.2.

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: davidpaterson, Unassigned)

Details

Attachments

(1 file)

Screenshot of unexpected repsonse
100.03 KB, image/png
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

Firefox allows you to view restrictied content from a Jira system after explicit logout via the brower.

Reproducible: Always

Steps to Reproduce:
1. Login to Jira.
2. Select an Issue.
3. Display the XML for that issue (copy url)
4. Logout of Jira.
5. Don't close browser, Enter URL (in new tab or existing).
6. Firefox will display the xml.

Note: After a no determinate length of time Firefox will return reubbish (technical definiation = string that looks like random data rendered as unicode, could be interal buffer contents, can't be sure).
Actual Results:  
Either we get the issue (as xml) or more of a concern appears (not sure) to return the contents of a buffer. 

Expected Results:  
Either we get the issue (as xml) or more of a concern appears (not sure) to return the contents of a buffer. 

Jira 4.1.2
What makes you think the issue is in Firefox and not in Jira ?
Hi Ludovic,

       You're absolutly right, i can't be sure, so this has been raised to both Atlassian and yourselves.

       So, as a professional tester I did'nt just try Firefox i also tried IE's 7 & 8 (both of which do not produce this problem so its either a Jira (Firefox) specific bug. Or a something worse (It might not be so but the enclosed screen shot is little worrying. E.g. Where are the random chars comming from? are they a malformed response from Jira or from Firefox, really dont know!).

       You have every right to be sceptical, I would be, bit i think it's worth raising anyway, and like I said its with Atlasian as well.


Thanks for the response.

Have a good weekend.

Regards
Dave Paterson

P.S. If I get some time free next week will put fiddler on the system and look at the response, ok?

    
    

    
  
This ain't an attack vector as per se. Marking non s-s for now.
Group: core-security

    
    

    
  
This is not  at all an issue with Firefox. I tested it using my jira account. 
I didn't had any such issue and nicely redirected to login page. 
Probably, This occurred due to misconfiguration in your  Jira or something like Proxy,WAF in your network.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: