[jira] [Comment Edited] (SLING-10147) scripting variables implementation details are exposed to not authorized users

Wed, 17 Feb 2021 13:32:21 -0800 


    [ 
https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17286151#comment-17286151
 ] 

Konrad Windszus edited comment on SLING-10147 at 2/17/21, 9:31 PM:
-------------------------------------------------------------------

See the discussion at SLING-3543. Exposing the bindings requires a real Sling 
Servlet Request, therefore this generic servlet binding. Doing  the same kind 
of access check requires probably a dependency on the 
WebConsoleSecurityProvider service. But IMHO that service is optional (even 
with Sling) so it must also work without it. 
Maybe reusing the OsgiManagerHttpContext is an option 
(https://github.com/apache/felix-dev/blob/e8fbf5bae0b736e187f603ae05d5b2ebeafb7973/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L961)


was (Author: kwin):
See the discussion at SLING-3543. Exposing the bindings requires a real Sling 
Servlet Request, therefore this generic servlet binding. Doing  the same kind 
of access check requires probably a dependency on the 
WebConsoleSecurityProvider service. But IMHO that service is optional (even 
with Sling) so it must also work without it.

> scripting variables implementation details are exposed to not authorized users
> ------------------------------------------------------------------------------
>
>                 Key: SLING-10147
>                 URL: https://issues.apache.org/jira/browse/SLING-10147
>             Project: Sling
>          Issue Type: Bug
>            Reporter: Eric Norman
>            Priority: Major
>             Fix For: Scripting Core 2.3.6
>
>
> The ".SLING_availablebindings.json" selector is registered at 
> /apps/sling/servlet/default and the usage on all resources is not protected 
> by any security checks.  The information returned contains implementation 
> details that a regular user should not need to know and could be considered 
> an "information disclosure" vulnerability.
> Since this selector appears to only be used by the "Scripting Variables" 
> webconsole plugin, I would expect that it should require the same security 
> checking that would be needed to access the webconsole.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to