Uploaded image for project: 'HAL'
  1. HAL
  2. HAL-1511

Cross-site scripting (XSS) in JBoss Management Console

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 3.0.5.Final
    • 3.0.4.Final
    • None
    • None

    Description

      There is a vulnerability in HAL not properly escaping html characters from resource names, see example below:

      [standalone@localhost:9990 /] deploy /home/darranl/src/wildfly13/elytron-examples/simple-webapp/target/simple-webapp.war --name=xss<svg/onload=alert(document.domain)>xss --disabled

[standalone@localhost:9990 /] /system-property="xss<svg/onload=alert(document.domain)>xss":add(value=test)

      When loading either the system property view or opening the deployment view, the javascript onload is loaded.

      Attachments

        Issue Links

          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-10936 Upgrade HAL to 3.0.5.Final

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-11408 Upgrade HAL to 3.1.2.Final

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              cmiranda@redhat.com Claudio Miranda
              cmiranda@redhat.com Claudio Miranda
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: