[ https://issues.apache.org/jira/browse/DISPATCH-886?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ernest Allen resolved DISPATCH-886. ----------------------------------- Resolution: Fixed Fix Version/s: 1.1.0 > Console does not properly escape HTML in entity names > ----------------------------------------------------- > > Key: DISPATCH-886 > URL: https://issues.apache.org/jira/browse/DISPATCH-886 > Project: Qpid Dispatch > Issue Type: Bug > Components: Console > Affects Versions: 1.0.0 > Reporter: Ernest Allen > Assignee: Ernest Allen > Fix For: 1.1.0 > > > From ENTMQIC-1888 > Put this into qdrouterd.conf file: > router { id: Ro<b>u</b>ter.A } > Then connect to the router with the console. > In the tree on the left in the Overview page, the u will be actually bold. > The Overview page will refer to the router as Ro<b>u< in the table of routers > on the right, that is, part of the name is missing. The DOM looks like this > <span ng-cell-text="" class="ng-binding">Ro<b>u<</span> > Regarding exploitability, I did manage to send a command to Jolokia (to kill > Artemis broker) by creating the following address prefix and then having the > admin looking at it. > qdmanage create --type=address prefix=aPrefix name="<img > src=\"http://127.0.0.1:8161/hawtio/jolokia/exec/org.apache.activemq.artemis:type=Broker,brokerName=%220.0.0.0%22,module=Core,serviceType=Server/forceFailover()\"></img>" > Now open up the Entities tab in the browser and expand the address subtree on > that page. > I did not manage to push through any JavaScript (to do XSS) and I needed to > edit the server config or use qdmanage to put in the HTML. In other words, I > had to be server admin to do this. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org