[
https://issues.apache.org/jira/browse/DISPATCH-886?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ernest Allen resolved DISPATCH-886.
-----------------------------------
Resolution: Fixed
Fix Version/s: 1.1.0
> Console does not properly escape HTML in entity names
> -----------------------------------------------------
>
> Key: DISPATCH-886
> URL: https://issues.apache.org/jira/browse/DISPATCH-886
> Project: Qpid Dispatch
> Issue Type: Bug
> Components: Console
> Affects Versions: 1.0.0
> Reporter: Ernest Allen
> Assignee: Ernest Allen
> Fix For: 1.1.0
>
>
> From ENTMQIC-1888
> Put this into qdrouterd.conf file:
> router { id: Ro<b>u</b>ter.A }
> Then connect to the router with the console.
> In the tree on the left in the Overview page, the u will be actually bold.
> The Overview page will refer to the router as Ro<b>u< in the table of routers
> on the right, that is, part of the name is missing. The DOM looks like this
> <span ng-cell-text="" class="ng-binding">Ro<b>u<</span>
> Regarding exploitability, I did manage to send a command to Jolokia (to kill
> Artemis broker) by creating the following address prefix and then having the
> admin looking at it.
> qdmanage create --type=address prefix=aPrefix name="<img
> src=\"http://127.0.0.1:8161/hawtio/jolokia/exec/org.apache.activemq.artemis:type=Broker,brokerName=%220.0.0.0%22,module=Core,serviceType=Server/forceFailover()\"></img>"
> Now open up the Entities tab in the browser and expand the address subtree on
> that page.
> I did not manage to push through any JavaScript (to do XSS) and I needed to
> edit the server config or use qdmanage to put in the HTML. In other words, I
> had to be server admin to do this.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
