Uploaded image for project: 'HAL'
  1. HAL
  2. HAL-1511

Cross-site scripting (XSS) in JBoss Management Console

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 3.0.5.Final
    • 3.0.4.Final
    • None
    • None

      There is a vulnerability in HAL not properly escaping html characters from resource names, see example below:

      [standalone@localhost:9990 /] deploy /home/darranl/src/wildfly13/elytron-examples/simple-webapp/target/simple-webapp.war --name=xss<svg/onload=alert(document.domain)>xss --disabled
      
      [standalone@localhost:9990 /] /system-property="xss<svg/onload=alert(document.domain)>xss":add(value=test)
      

      When loading either the system property view or opening the deployment view, the javascript onload is loaded.

              cmiranda@redhat.com Claudio Miranda
              cmiranda@redhat.com Claudio Miranda
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: