[magnolia-dev] [JIRA] Commented: (MAGNOLIA-3191) The content of log files is not escaped before being rendered via log viewer

Thu, 06 May 2010 02:48:06 -0700 


    [ 
http://jira.magnolia-cms.com/browse/MAGNOLIA-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=28203#action_28203
 ] 

Hudson CI server commented on MAGNOLIA-3191:
--------------------------------------------

Integrated in !http://hudson.magnolia-cms.com/nocacheImages/16x16/blue.gif! 
[magnolia_main-trunk 
#1605|http://hudson.magnolia-cms.com/job/magnolia_main-trunk/1605/]
     MAGNOLIA-3191 Escape html in log file content to prevent accidental 
execution while browsing log files..


> The content of log files is not escaped before being rendered via log viewer
> ----------------------------------------------------------------------------
>
>                 Key: MAGNOLIA-3191
>                 URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-3191
>             Project: Magnolia
>          Issue Type: Bug
>          Components: admininterface
>    Affects Versions: 4.1.4, 4.2.3, 4.3.1
>            Reporter: Jan Haderka
>            Assignee: Jan Haderka
>            Priority: Critical
>             Fix For: 4.2.x, 4.3.x, 4.1.x
>
>
> Currently content of the log files is assumed to be safe. This assumption is 
> incorrect as the log file might include messages from content entered by 
> users in search form or other input fields on the site and therefore must be 
> escaped.
> While the issue impact with properly secured access to AdminCentral (protect 
> access to {{.magnolia}} URI from public net) is minimal, I'm setting priority 
> to critical and will push the fix into next maintenance release. Protecting 
> the {{.magnolia}} URI means that even should the attacker potentially obtain 
> the session cookie, (s)he would not be able to login to the AdminCentral 
> unless being in the range of addresses from which access is allowed.
> Workaround: 
> - do not use log viewer in the AdminCentral, but view the log files directly 
> in the file system.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

----------------------------------------------------------------
For list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
To unsubscribe, E-mail to: <dev-list-unsubscr...@magnolia-cms.com>
----------------------------------------------------------------

Reply via email to