[
http://jira.magnolia-cms.com/browse/MAGNOLIA-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Haderka resolved MAGNOLIA-3191.
-----------------------------------
Resolution: Fixed
> The content of log files is not escaped before being rendered via log viewer
> ----------------------------------------------------------------------------
>
> Key: MAGNOLIA-3191
> URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-3191
> Project: Magnolia
> Issue Type: Bug
> Components: admininterface
> Affects Versions: 4.1.4, 4.2.3, 4.3.1
> Reporter: Jan Haderka
> Assignee: Jan Haderka
> Priority: Critical
> Fix For: 4.2.x, 4.3.x, 4.1.x
>
>
> Currently content of the log files is assumed to be safe. This assumption is
> incorrect as the log file might include messages from content entered by
> users in search form or other input fields on the site and therefore must be
> escaped.
> While the issue impact with properly secured access to AdminCentral (protect
> access to {{.magnolia}} URI from public net) is minimal, I'm setting priority
> to critical and will push the fix into next maintenance release. Protecting
> the {{.magnolia}} URI means that even should the attacker potentially obtain
> the session cookie, (s)he would not be able to login to the AdminCentral
> unless being in the range of addresses from which access is allowed.
> Workaround:
> - do not use log viewer in the AdminCentral, but view the log files directly
> in the file system.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
For list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------
