[ http://jira.magnolia-cms.com/browse/MAGNOLIA-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=28203#action_28203 ]
Hudson CI server commented on MAGNOLIA-3191: -------------------------------------------- Integrated in !http://hudson.magnolia-cms.com/nocacheImages/16x16/blue.gif! [magnolia_main-trunk #1605|http://hudson.magnolia-cms.com/job/magnolia_main-trunk/1605/] MAGNOLIA-3191 Escape html in log file content to prevent accidental execution while browsing log files.. > The content of log files is not escaped before being rendered via log viewer > ---------------------------------------------------------------------------- > > Key: MAGNOLIA-3191 > URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-3191 > Project: Magnolia > Issue Type: Bug > Components: admininterface > Affects Versions: 4.1.4, 4.2.3, 4.3.1 > Reporter: Jan Haderka > Assignee: Jan Haderka > Priority: Critical > Fix For: 4.2.x, 4.3.x, 4.1.x > > > Currently content of the log files is assumed to be safe. This assumption is > incorrect as the log file might include messages from content entered by > users in search form or other input fields on the site and therefore must be > escaped. > While the issue impact with properly secured access to AdminCentral (protect > access to {{.magnolia}} URI from public net) is minimal, I'm setting priority > to critical and will push the fix into next maintenance release. Protecting > the {{.magnolia}} URI means that even should the attacker potentially obtain > the session cookie, (s)he would not be able to login to the AdminCentral > unless being in the range of addresses from which access is allowed. > Workaround: > - do not use log viewer in the AdminCentral, but view the log files directly > in the file system. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.magnolia-cms.com/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira ---------------------------------------------------------------- For list details see http://www.magnolia-cms.com/home/community/mailing-lists.html To unsubscribe, E-mail to: <dev-list-unsubscr...@magnolia-cms.com> ----------------------------------------------------------------