[jira] [Comment Edited] (SLING-10147) scripting variables implementation details are exposed to not authorized users

Wed, 24 Feb 2021 07:20:04 -0800 


    [ 
https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290010#comment-17290010
 ] 

Julian Sedding edited comment on SLING-10147 at 2/24/21, 3:19 PM:
------------------------------------------------------------------

[~enorman] would it be possible to re-implement the default authentication 
(i.e. without a {{WebConsoleSecurityProvider}}) as a 
{{WebConsoleSecurityProvider}}? This could be the default implementation and 
only be registered as a service unless another one is available. If this was 
the case it would then be simple to secure all sorts of web-console related 
servlets. Granted, the bindings are probably a bit of an edge case. So it may 
not be worth the effort.


was (Author: jsedding):
[~enorman] would it be possible to re-implement the default authentication 
(i.e. without a {{WebConsoleSecurityProvider) as a 
}}{{WebConsoleSecurityProvider}}? This could be the default implementation and 
only be registered as a service unless another one is available. If this was 
the case it would then be simple to secure all sorts of web-console related 
servlets. Granted, the bindings are probably a bit of an edge case. So it may 
not be worth the effort.

> scripting variables implementation details are exposed to not authorized users
> ------------------------------------------------------------------------------
>
>                 Key: SLING-10147
>                 URL: https://issues.apache.org/jira/browse/SLING-10147
>             Project: Sling
>          Issue Type: Bug
>            Reporter: Eric Norman
>            Assignee: Eric Norman
>            Priority: Major
>             Fix For: Scripting Core 2.3.6
>
>          Time Spent: 3h 50m
>  Remaining Estimate: 0h
>
> The ".SLING_availablebindings.json" selector is registered at 
> /apps/sling/servlet/default and the usage on all resources is not protected 
> by any security checks.  The information returned contains implementation 
> details that a regular user should not need to know and could be considered 
> an "information disclosure" vulnerability.
> Since this selector appears to only be used by the "Scripting Variables" 
> webconsole plugin, I would expect that it should require the same security 
> checking that would be needed to access the webconsole.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to