Fun with JIRA

Atlassian's JIRA is an issue tracking system brought to you by the same people who made that-sounds-like-a-disease Confluence. It's used by a wide array of different companies to assign software developers to bug fixes and feature requests. The app itself is Java-based and typically comes bundled with Apache Tomcat. You can read more about the requirements here.

Google Dork
Due to distinct URLs that the JIRA dashboard generates, you can find open systems with a simple search for:

inurl:/secure/Dashboard.jspa

Some of these JIRA instances require authentication to poke around, others don't. Either way, it's an interesting look into who uses JIRA and what issues they're tracking. Highlights include software components, technologies in use, and developer names.

Server Information
JIRA also supports a charting plugin, built around JFreeChart. You can see an example of one of these charts in the screenshot below.

In version 4.3.4 (I haven't tested any others), you can right-click on this image and select "View Image." This will take you to a URL with a format similar to .../charts?filename=jfreechart-onetime-666hashstuff.png and give you a classy dump of server information.
In the "cause" section you can see the install directory and location of the temp folder used for chart generation. If you dig past the stack trace, you can find things such as:

• JIRA versions
• Build dates
• Install types
• Application server / version
• Memory information
• Java version and JVM
• Username
• Server OS
• Server processor architecture
• Database type / version
• Plugins

As well as a bunch of other random information. This is possibly just the result of a misconfigured error page, but JIRA's own tickets seem to suggest that it's supposed to happen. Regardless, if you happen to notice a JIRA install, it may be worth looking for.

Also worth noting is this ticket, which suggests that some of the generated charts stick around for a while. Feel free to try and fill up the temp directory.