Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Atlassian Confluence

Anonymous access to Remote API

Description:

Atlassian Confluence provides a Remote XML-RPC and SOAP API to change and read data in Confluence. This API is depreciated and replaced with a REST API since version 5.5 but can still be in use in some instances. It is in that case recommended to disable anonymous access to the API and prevent bots from making destructive changes in bulk.

Testing:

Both XML-RPC and SOAP API are currently depreciated and replaced by the REST API since Confluence v5.5. Both APIs are accessible through the following endpoints on your Confluence instance:

XML-RPC HTTP Request to retrieve a specific page for example:

POST /rpc/xmlrpc HTTP/1.1
Host: confluence.example.com
Content-Type: text/xml
...

<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
 <methodName>confluence2.getPage</methodName>
 <params>
  <param>
   <value>
    <string>{SPACE_KEY}</string>
   </value>
  </param>
  <param>
   <value>
    <string>{PAGE_TITLE}</string>
   </value>
  </param>
 </params>
</methodCall>

or using cURL:

curl -X POST -H 'Content-Type: text/xml' -d '<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>confluence2.getPage</methodName><params><param><value><string>{SPACE_KEY}</string></value></param><param><value><string>{PAGE_TITLE}</string></value></param></params></methodCall>' http://confluence.example.com/rpc/xmlrpc

SOAP:

/rpc/soap-axis/confluenceservice-v2

Remediation:

It is always recommended to upgrade and use the latest version available of Atlassian Confluence.

  1. Navigate to your Confluence instance and sign in

  2. Open your Administrator Settings by clicking on the gear icon next to your profile picture

  3. In your side navigation bar, scroll down to Security and open Security Configurations

  4. Make sure that Anonymous Access to Remote API is disabled

  5. Save your changes

Potential Impact:

It is possible for a bad actor to conduct destructive changes in bulk with the depreciated Remote API enabled and when anonymous access is allowed.

References:

PreviousAtlassian ConfluenceNextDisabled XSRF Protection

Last updated 12 months ago

Was this helpful?

Replace {SPACE_KEY} with your Confluence team's Space Key (this can be found over ) and {PAGE_TITLE} with the post's page title.

in your URL bar
https://developer.atlassian.com/server/confluence/remote-confluence-methods/
https://developer.atlassian.com/server/confluence/confluence-xml-rpc-and-soap-apis/
https://confluence.atlassian.com/doc/anonymous-access-to-remote-api-151028.html
https://confluence.atlassian.com/doc/configuring-confluence-security-151515.html