[
https://issues.apache.org/jira/browse/FELIX-6127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16839342#comment-16839342
]
Ashok Kumar commented on FELIX-6127:
------------------------------------
[~karlpauls] , As discussed, attached is the js side patch -
[^escape_namehint_config_js.patch] Pleased review.
> escape nameHint for configuration listing
> ------------------------------------------
>
> Key: FELIX-6127
> URL: https://issues.apache.org/jira/browse/FELIX-6127
> Project: Felix
> Issue Type: Bug
> Components: Web Console
> Affects Versions: webconsole-4.3.8
> Reporter: Ashok Kumar
> Assignee: Karl Pauls
> Priority: Major
> Fix For: webconsole-4.3.10
>
> Attachments: escape_namehint_config_js.patch,
> nameHint_escape_tags.patch
>
>
> There is a XSS vulnerability in configMgr where adding a html or script tag
> in log file name. Since this console is only accessible to admin, threat
> rating of this vulnerability is very low.
> *Steps to reproduce :*
> * In /system/console/configMgr, find Apache Sling Logging Logger
> Configuration
> * Edit one of the logs, e.g logs/auditlog.log
> * Change to logs/auditlog.log<script>alert("xss")</script>
> * Click Save and refresh
> * Scroll to the configuration and see alert pop up injected
> *Expected Behavior :* Injected script should be escaped.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
