Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-173

Artifact repository upload functionality allows malicious code injection

    XMLWordPrintable

Details

    • Hide
      • Start JBoss BPM Suite/BRMS on EAP 6.4.12+
      • Go to business central, login and then access Authoring -> Artifact Repository
      • Upload the attached inject-script-1.0.pom.xml and you should see an alert with the value 1.
      Show
      Start JBoss BPM Suite/BRMS on EAP 6.4.12+ Go to business central, login and then access Authoring -> Artifact Repository Upload the attached inject-script-1.0.pom.xml and you should see an alert with the value 1.

    Description

      When uploading a pom.xml with errors to business central using Artifact Repository, it is possible to execute malicious scripts because the error message is showed in an HTML mode, allowing scripts execution. Take for example the following script.pom.xml:

      <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>example</groupId>
  <artifactId>inject-script</artifactId>
  <version>1.0</version>
  
  <dependencies>
  	<dependency>
  		<groupId>example</groupId>
  		<artifactId>}}proj&lt;script&gt;alert(1)&lt;/script&gt;</artifactId>
  		<version>1.0</version>
  	</dependency>
  </dependencies>
</project>

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. RHBPMS-4627 CVE-2017-7463 business-central: Reflected XSS in artifact upload error message [bpms-6.4.x]

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              trikkola Toni Rikkola
              rhn-support-wsiqueir William Siqueira
              Jan Hrcek Jan Hrcek (Inactive)
              Jan Hrcek Jan Hrcek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: