Ashok Kumar created FELIX-6127:
----------------------------------
Summary: escape nameHint for configuration listing
Key: FELIX-6127
URL: https://issues.apache.org/jira/browse/FELIX-6127
Project: Felix
Issue Type: Bug
Reporter: Ashok Kumar
Attachments: nameHint_escape_tags.patch
There is a XSS vulnerability in configMgr where adding a html or script tag in
log file name. Since this console is only accessible to admin, threat rating of
this vulnerability is very low.
*Steps to reproduce :*
* In /system/console/configMgr, find Apache Sling Logging Logger Configuration
* Edit one of the logs, e.g logs/auditlog.log
* Change to logs/auditlog.log<script>alert("xss")</script>
* Click Save and refresh
* Scroll to the configuration and see alert pop up injected
*Expected Behavior :* Injected script should be escaped.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
