[
https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290791#comment-17290791
]
Julian Sedding commented on SLING-10147:
----------------------------------------
[~enorman] it seems I didn't explain my suggestion clearly. Of course it makes
little sense to implement a {{WebConsoleSecurityProvider}} in
{{scripting.core}}. What I tried to suggest was a modification to the
web-console itself (i.e. in the Apache Felix project), whereby the its current
default authentication mechanism is refactored into a default
{{WebConsoleSecurityProvider}} and also exposed as a service. It could
unregister the default {{WebConsoleSecurityProvider}} when another one is
registered as a service. With such a change to the web-console, you could rely
on the presence of a {{WebConsoleSecurityProvider}} in your changes to
{{scripting.core}}.
> scripting variables implementation details are exposed to not authorized users
> ------------------------------------------------------------------------------
>
> Key: SLING-10147
> URL: https://issues.apache.org/jira/browse/SLING-10147
> Project: Sling
> Issue Type: Bug
> Reporter: Eric Norman
> Assignee: Eric Norman
> Priority: Major
> Fix For: Scripting Core 2.3.6
>
> Time Spent: 4h 10m
> Remaining Estimate: 0h
>
> The ".SLING_availablebindings.json" selector is registered at
> /apps/sling/servlet/default and the usage on all resources is not protected
> by any security checks. The information returned contains implementation
> details that a regular user should not need to know and could be considered
> an "information disclosure" vulnerability.
> Since this selector appears to only be used by the "Scripting Variables"
> webconsole plugin, I would expect that it should require the same security
> checking that would be needed to access the webconsole.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
