[
https://issues.apache.org/jira/browse/VCL-808?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andy Kurth resolved VCL-808.
----------------------------
Resolution: Won't Fix
There are no injection checks on the input entered via any of the _vcld
--setup_ options. However, in order to run _vcld --setup_ one would need
console access to a management node and the command would probably need to run
as root in order to work. With this level of access, it can be implied that
the person can obtain full r/w access to the database. Adding checks really
wouldn't add much security.
> vcld allows user values that contain HTML which is not cleaned on web
> interface
> -------------------------------------------------------------------------------
>
> Key: VCL-808
> URL: https://issues.apache.org/jira/browse/VCL-808
> Project: VCL
> Issue Type: Improvement
> Components: vcld (backend)
> Affects Versions: 2.3.2
> Reporter: Karl Vollmer
> Fix For: 2.5
>
>
> put in HTML/Javascript for a users first name, it makes it into the database
> and is displayed and executed on the web interface
> Example: ./vcld -setup
> Add user with a firstname of "<b>Bol</b>"
> Lookup the user on the web interface
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
