Bug 724550 (BRMS-497) - BRMS Feed-Servlet: Log Injection with attachmentUUID parameter
Summary: BRMS Feed-Servlet: Log Injection with attachmentUUID parameter
Keywords:
Status: VERIFIED
Alias: BRMS-497
Product: JBoss Enterprise BRMS Platform 5
Classification: JBoss
Component: BRM (Guvnor), Security
Version: BRMS 5.2.0.GA
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: BRMS 5.3.0.GA
Assignee: manstis
QA Contact: Lukáš Petrovický
URL: http://jira.jboss.org/jira/browse/BRM...
Whiteboard:
: 724548 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-03 14:34 UTC by Len DiMaggio
Modified: 2022-11-15 23:14 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 724548 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Issue Tracker BRMS-497 0 None Closed BRMS Feed-Servlet: Log Injection with attachmentUUID parameter 2012-06-27 11:11:30 UTC

Internal Links: 724548

Description Len DiMaggio 2010-12-03 14:34:12 UTC 
securitylevel_name: Public

Feed-Servlet: Log Injection with attachmentUUID parameter

http://127.0.0.1:8080/jboss-brms/org.drools.guvnor.Guvnor/feed/discussion?assetName=x&package=%0AThis is a very bad thing in your log %0Dx&discussion=x


(Thanks to Marc S. for identifying this issue)
Comment 3 Lukáš Petrovický 2011-11-14 11:34:55 UTC 
This is still an issue.
Comment 5 Geoffrey De Smet 2011-11-22 14:36:14 UTC 
We discussed this and we reject this issue for the following reasons:

- Log injection is not a security threat. Please show a counter example if it is a problem.
- Logging the values of what goes wrong (except for security credentials etc, which are never part of the exception message) is a good thing: it helps to diagnose and fix the problem.

Please reopen if you disagree.
Comment 6 Geoffrey De Smet 2011-11-22 14:37:11 UTC 
*** Bug 724548 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.