Ernest Allen created DISPATCH-886:
-------------------------------------
Summary: Console does not properly escape HTML in entity names
Key: DISPATCH-886
URL: https://issues.apache.org/jira/browse/DISPATCH-886
Project: Qpid Dispatch
Issue Type: Bug
Components: Console
Affects Versions: 1.0.0
Reporter: Ernest Allen
>From ENTMQIC-1888
Put this into qdrouterd.conf file:
router { id: Ro<b>u</b>ter.A }
Then connect to the router with the console.
In the tree on the left in the Overview page, the u will be actually bold.
The Overview page will refer to the router as Ro<b>u< in the table of routers
on the right, that is, part of the name is missing. The DOM looks like this
<span ng-cell-text="" class="ng-binding">Ro<b>u<</span>
Regarding exploitability, I did manage to send a command to Jolokia (to kill
Artemis broker) by creating the following address prefix and then having the
admin looking at it.
qdmanage create --type=address prefix=aPrefix name="<img
src=\"http://127.0.0.1:8161/hawtio/jolokia/exec/org.apache.activemq.artemis:type=Broker,brokerName=%220.0.0.0%22,module=Core,serviceType=Server/forceFailover()\"></img>"
Now open up the Entities tab in the browser and expand the address subtree on
that page.
I did not manage to push through any JavaScript (to do XSS) and I needed to
edit the server config or use qdmanage to put in the HTML. In other words, I
had to be server admin to do this.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
