You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Ernest Allen (JIRA)" <ji...@apache.org> on 2017/11/27 19:23:00 UTC

[jira] [Assigned] (DISPATCH-886) Console does not properly escape HTML in entity names

     [ https://issues.apache.org/jira/browse/DISPATCH-886?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ernest Allen reassigned DISPATCH-886:
-------------------------------------

    Assignee: Ernest Allen

> Console does not properly escape HTML in entity names
> -----------------------------------------------------
>
>                 Key: DISPATCH-886
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-886
>             Project: Qpid Dispatch
>          Issue Type: Bug
>          Components: Console
>    Affects Versions: 1.0.0
>            Reporter: Ernest Allen
>            Assignee: Ernest Allen
>
> From ENTMQIC-1888
> Put this into qdrouterd.conf file:
> router { id: Ro<b>u</b>ter.A }
> Then connect to the router with the console.
> In the tree on the left in the Overview page, the u will be actually bold.
> The Overview page will refer to the router as Ro<b>u< in the table of routers on the right, that is, part of the name is missing. The DOM looks like this <span ng-cell-text="" class="ng-binding">Ro<b>u<</span>
> Regarding exploitability, I did manage to send a command to Jolokia (to kill Artemis broker) by creating the following address prefix and then having the admin looking at it.
> qdmanage create --type=address prefix=aPrefix name="<img src=\"http://127.0.0.1:8161/hawtio/jolokia/exec/org.apache.activemq.artemis:type=Broker,brokerName=%220.0.0.0%22,module=Core,serviceType=Server/forceFailover()\"></img>"
> Now open up the Entities tab in the browser and expand the address subtree on that page.
> I did not manage to push through any JavaScript (to do XSS) and I needed to edit the server config or use qdmanage to put in the HTML. In other words, I had to be server admin to do this.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org