[jira] [Comment Edited] (SLING-10147) scripting variables implementation details are exposed to not authorized users

Sat, 27 Feb 2021 12:51:04 -0800 


    [ 
https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292236#comment-17292236
 ] 

Eric Norman edited comment on SLING-10147 at 2/27/21, 8:50 PM:
---------------------------------------------------------------

[~cziegeler] To clarify, the FELIX-6390 improvement is only required for the 
use case where a WebConsoleSecurityProvider service that implements 
WebConsoleSecurityProvider2 is not registered. 

Since 
org.apache.sling/org.apache.sling.extensions.webconsolesecurityprovider/1.2.0 
is included since starter version 11 and provides that service I am not certain 
how many real world use cases would need the FELIX-6390 fix. 

Do you have some more data about whether existing customers typically use the 
webconsole with sling without the o.a.s.extensions.webconsolesecurityprovider 
bundle (or equivalent) deployed?


was (Author: enorman):
[~cziegeler] To clarify, the FELIX-6390 improvement is only required for the 
use case where a WebConsoleSecurityProvider service that implements 
WebConsoleSecurityProvider2 is not registered. 

Since 
org.apache.sling/org.apache.sling.extensions.webconsolesecurityprovider/1.2.0 
is included since starter version 11 and provides that service I am not certain 
how many real world use cases would need the FELIX-6390 fix.  

Do you have some more data about whether existing customers typically use the 
webconsole without the o.a.s.extensions.webconsolesecurityprovider bundle (or 
equivalent) deployed?

> scripting variables implementation details are exposed to not authorized users
> ------------------------------------------------------------------------------
>
>                 Key: SLING-10147
>                 URL: https://issues.apache.org/jira/browse/SLING-10147
>             Project: Sling
>          Issue Type: Bug
>            Reporter: Eric Norman
>            Assignee: Eric Norman
>            Priority: Major
>             Fix For: Scripting Core 2.3.6
>
>          Time Spent: 4.5h
>  Remaining Estimate: 0h
>
> The ".SLING_availablebindings.json" selector is registered at 
> /apps/sling/servlet/default and the usage on all resources is not protected 
> by any security checks.  The information returned contains implementation 
> details that a regular user should not need to know and could be considered 
> an "information disclosure" vulnerability.
> Since this selector appears to only be used by the "Scripting Variables" 
> webconsole plugin, I would expect that it should require the same security 
> checking that would be needed to access the webconsole.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to