Uploaded image for project: 'HAL'
  1. HAL
  2. HAL-1511

Cross-site scripting (XSS) in JBoss Management Console

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: 3.0.4.Final
    • Fix Version/s: 3.0.5.Final
    • Component/s: None
    • Labels:
      None

      Description

      There is a vulnerability in HAL not properly escaping html characters from resource names, see example below:

      [standalone@localhost:9990 /] deploy /home/darranl/src/wildfly13/elytron-examples/simple-webapp/target/simple-webapp.war --name=xss<svg/onload=alert(document.domain)>xss --disabled
      
      [standalone@localhost:9990 /] /system-property="xss<svg/onload=alert(document.domain)>xss":add(value=test)
      

      When loading either the system property view or opening the deployment view, the javascript onload is loaded.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  claudio4j Claudio Miranda
                  Reporter:
                  claudio4j Claudio Miranda
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: