[jira] [Commented] (FELIX-6128) Issue in the bundle Web Console

Karl Pauls (JIRA) Thu, 09 May 2019 04:54:33 -0700


    [ 
https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836303#comment-16836303
 ]


Karl Pauls commented on FELIX-6128:
-----------------------------------

Hi [~ashokpanghal], thanks a lot for looking into this - yes, I think we should 
have a look at all headers and see where it makes sense to escape them.

> Issue in the bundle Web Console
> -------------------------------
>
>                 Key: FELIX-6128
>                 URL: https://issues.apache.org/jira/browse/FELIX-6128
>             Project: Felix
>          Issue Type: Bug
>          Components: Web Console
>            Reporter: Antonio Sanso
>            Priority: Major
>         Attachments: escape_bundle_name.patch, image002.png, image003.png
>
>
> RunningSnail  reported an XSS issue in the bundle Web Console.
> After logining,I visit the page whose url is 
> http://127.0.0.1:8080/system/console/bundles.
> Then I click "Install/Update" and before uploading a jar file,I change the 
> content of the "MANIFEST.MF" in the jar file.
> So when an admin visit the page,he will be affected by the stored xss. 
> See attached images



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (FELIX-6128) Issue in the bundle Web Console

Reply via email to