[FELIX-6128] Issue in the bundle Web Console - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: webconsole-4.3.8
Fix Version/s: webconsole-4.3.10
Component/s: Web Console
Labels:
None

Description

RunningSnail reported an XSS issue in the bundle Web Console.

After logining,I visit the page whose url is http://127.0.0.1:8080/system/console/bundles.
Then I click "Install/Update" and before uploading a jar file,I change the content of the "MANIFEST.MF" in the jar file.

So when an admin visit the page,he will be affected by the stored xss.

See attached images

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

image003.png
09/May/19 09:59
88 kB
Antonio Sanso
image002.png
09/May/19 09:59
22 kB
Antonio Sanso
escape_bundle_name_and_other_manifest_headers.patch
09/May/19 12:56
3 kB
Ashok Kumar
escape_bundle_name_and_manifest_headers.patch
14/May/19 11:29
2 kB
Ashok Kumar

Activity

People

Assignee:: Karl Pauls

Reporter:: Antonio Sanso

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 09/May/19 09:59

Updated:: 20/May/19 11:30

Resolved:: 15/May/19 20:21