Application Links (sometimes called “app links”) is a bundled app that allows you to set up links, share information, and provide access to certain resources or functionality across multiple Atlassian products.
Linking Confluence to other applications allows you to include information from those applications in pages or blogs that you create in Confluence. For example, you could link Confluence to Jira Software and display issues on a Confluence page using the Jira Issues Macro.
The /plugins/servlet/jira-chart-proxy endpoint in the Server version of Confluence, when being called, will make a GET request to the /rest/gadget/1.0/piechart/generate endpoint of the linked Jira application in order to get the corresponding pie chart of the given JQL query. If this is the first time you hear about JQL, then it is a query language created for searching issues in Jira more efficiently, especially when your search includes multiple criteria, for example:
status=resolved OR projects="BB" OR assigne=ycs OR text ~ "yeuchism*"
You can read more information about the JQL here, or take a quick look at its cheatsheet to get the idea on how it works.
The Server version of Atlassian Confluence comes with a built-in plugin named applinks-cors, with the following declaration in file atlassian-plugin.xml:
The CorsFilter class is implemented as below:
As we can see from the code, for all requests to URLs that match the defined patterns, Access-Control-Allow-Origin (ACAO) and Access-Control-Allow-Credentials (ACAC) headers will be added to the response. The important thing to note here is that the value of the ACAO header is taken from the Origin header of our request.
Two years ago, Progress released a security advisory about a cryptographic weakness issue in Telerik UI for ASP.NET AJAX components that can result in an arbitrary file upload, allowing unauthenticated attackers to compromise vulnerable websites via uploading a webshell. CMSes that use the component, such as DotNetNuke, Sitefinity, are also affected.
While the issue is already 2 years old, and there is no doubt that most of you already knew about it (a detailed analysis, or an automated tool to exploit the issue can be found easily on the internet), it’s still one of most interesting vulnerabilities I’ve found so far.
If even a silly love story has a place on my personal blog, then why isn’t this one?
The Text Editor component of Telerik UI for ASP.NET AJAX has a built-in File Manager feature that allows users to upload files (images, documents, …) and then insert them into their posts.