Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-6388

Arbitrary Data Can Be Added to People Table by Unauthenticated User

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • core
    • None
    • Hudson version 1.353

      An unauthenticated user can add arbitrary data to the peoples table found at http://localhost:8080/hudson/people/.

      Steps to reproduce:
      1. Browse to http://localhost:8080/hudson/user/ANYDATA/
      2. Browse to http://localhost:8080/hudson/people/
      3. Observe that a new entry for "ANYDATA" has been added

      This attack can be used to flood the people table or add users with cross site scripting attacks within their pages (XSS reported in finding 6287 #1)

      Recommended Remediation
      When a user requests a non-existent user via http://localhost:8080/hudson/user/ANYDATA/ an error page should be returned and a new user should not be added to the people table.

            Unassigned Unassigned
            mcoates mcoates
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: