-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
Hudson version 1.353
An unauthenticated user can add arbitrary data to the peoples table found at http://localhost:8080/hudson/people/.
Steps to reproduce:
1. Browse to http://localhost:8080/hudson/user/ANYDATA/
2. Browse to http://localhost:8080/hudson/people/
3. Observe that a new entry for "ANYDATA" has been added
This attack can be used to flood the people table or add users with cross site scripting attacks within their pages (XSS reported in finding 6287 #1)
Recommended Remediation
When a user requests a non-existent user via http://localhost:8080/hudson/user/ANYDATA/ an error page should be returned and a new user should not be added to the people table.
- duplicates
-
JENKINS-5336 Users are automatically created when going thru HUDSON_URL/user/[anything]
- Reopened