Na Li created SENTRY-2120:
-----------------------------
Summary: cross-site scripting vulnerability in LogLevelServlet
Key: SENTRY-2120
URL: https://issues.apache.org/jira/browse/SENTRY-2120
Project: Sentry
Issue Type: Bug
Components: Sentry
Affects Versions: 2.0.0, 2.1.0
Reporter: Na Li
Assignee: Na Li
LogLevelServlet.java has the following code
{code}
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String logName = getParameter(request, "log");
String level = getParameter(request, "level");
response.setContentType("text/html;charset=utf-8");
response.setStatus(HttpServletResponse.SC_OK);
PrintWriter out = response.getWriter();
if (logName != null) {
Logger logInstance = LogManager.getLogger(logName);
if (level == null) {
out.write(String.format(FORMS_GET,
escapeHtml(logName),
logInstance.getEffectiveLevel().toString()));
} else if (isLogLevelValid(level)) {
logInstance.setLevel(Level.toLevel(level));
out.write(String.format(FORMS_SET,
escapeHtml(logName),
level,
level,
logInstance.getEffectiveLevel().toString()));
} else {
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log
level: " + level);
return;
}
}
out.write(FORMS_END);
out.close();
response.flushBuffer();
}
{code}
As a result HTTP parameter is directly written to Servlet error page. Echoing
this untrusted input allows for a reflected cross site scripting vulnerability.
See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
