[
http://jira.magnolia-cms.com/browse/MAGNOLIA-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Haderka updated MAGNOLIA-3191:
----------------------------------
Description:
Currently content of the log files is assumed to be safe. This assumption is
incorrect as the log file might include messages from content entered by users
in search form or other input fields on the site and therefore must be escaped.
While the issue impact with properly secured access to AdminCentral (protect
access to {{.magnolia}} URI from public net) is minimal, I'm setting priority
to critical and will push the fix into next maintenance release. Protecting the
{{.magnolia}} URI means that even should the attacker potentially obtain the
session cookie, (s)he would not be able to login to the AdminCentral unless
being in the range of addresses from which access is allowed.
Workaround:
- do not use log viewer in the AdminCentral, but view the log files directly in
the file system.
was:
Currently content of the log files is assumed to be safe. This assumption is
incorrect as the log file might include messages from content entered by users
in search form or other input fields on the site and therefore must be escaped.
While the issue impact with properly secured access to AdminCentral (protect
access to {{.magnolia}} URI from public net) is minimal, I'm setting priority
to critical and will push the fix into next maintenance release.
Workaround:
- do not use log viewer in the AdminCentral, but view the log files directly in
the file system.
> The content of log files is not escaped before being rendered via log viewer
> ----------------------------------------------------------------------------
>
> Key: MAGNOLIA-3191
> URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-3191
> Project: Magnolia
> Issue Type: Bug
> Components: admininterface
> Affects Versions: 4.1.4, 4.2.3, 4.3.1
> Reporter: Jan Haderka
> Assignee: Jan Haderka
> Priority: Critical
> Fix For: 4.2.x, 4.3.x, 4.1.x
>
>
> Currently content of the log files is assumed to be safe. This assumption is
> incorrect as the log file might include messages from content entered by
> users in search form or other input fields on the site and therefore must be
> escaped.
> While the issue impact with properly secured access to AdminCentral (protect
> access to {{.magnolia}} URI from public net) is minimal, I'm setting priority
> to critical and will push the fix into next maintenance release. Protecting
> the {{.magnolia}} URI means that even should the attacker potentially obtain
> the session cookie, (s)he would not be able to login to the AdminCentral
> unless being in the range of addresses from which access is allowed.
> Workaround:
> - do not use log viewer in the AdminCentral, but view the log files directly
> in the file system.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
For list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------
