If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

It is still possible to access secured resources from Jira after logging out of Jira 4.1.2.

RESOLVED INVALID

Status

()

Core
Security
--
critical
RESOLVED INVALID
7 years ago
a year ago

People

(Reporter: David Paterson, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

Firefox allows you to view restrictied content from a Jira system after explicit logout via the brower.

Reproducible: Always

Steps to Reproduce:
1. Login to Jira.
2. Select an Issue.
3. Display the XML for that issue (copy url)
4. Logout of Jira.
5. Don't close browser, Enter URL (in new tab or existing).
6. Firefox will display the xml.

Note: After a no determinate length of time Firefox will return reubbish (technical definiation = string that looks like random data rendered as unicode, could be interal buffer contents, can't be sure).
Actual Results:  
Either we get the issue (as xml) or more of a concern appears (not sure) to return the contents of a buffer. 

Expected Results:  
Either we get the issue (as xml) or more of a concern appears (not sure) to return the contents of a buffer. 

Jira 4.1.2
What makes you think the issue is in Firefox and not in Jira ?
(Reporter)

Comment 2

7 years ago
Hi Ludovic,

       You're absolutly right, i can't be sure, so this has been raised to both Atlassian and yourselves.

       So, as a professional tester I did'nt just try Firefox i also tried IE's 7 & 8 (both of which do not produce this problem so its either a Jira (Firefox) specific bug. Or a something worse (It might not be so but the enclosed screen shot is little worrying. E.g. Where are the random chars comming from? are they a malformed response from Jira or from Firefox, really dont know!).

       You have every right to be sceptical, I would be, bit i think it's worth raising anyway, and like I said its with Atlasian as well.


Thanks for the response.

Have a good weekend.

Regards
Dave Paterson

P.S. If I get some time free next week will put fiddler on the system and look at the response, ok?
(Reporter)

Comment 3

7 years ago
Created attachment 467788 [details]
Screenshot of unexpected repsonse
This ain't an attack vector as per se. Marking non s-s for now.
Group: core-security

Comment 5

a year ago
This is not  at all an issue with Firefox. I tested it using my jira account. 
I didn't had any such issue and nicely redirected to login page. 
Probably, This occurred due to misconfiguration in your  Jira or something like Proxy,WAF in your network.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.