Reference13r1:Release Notes Security

From innovaphone wiki
Jump to navigation Jump to search
There are also other versions of this article available: Reference13r1 (this version) | Reference13r2 | Reference13r3 | Reference14r1 | Reference14r2

This is the Security 13r1 Release Notes Document. It is an extract of the 13r1 Release Notes showing only the security fixes made (this mechanism was introduced with 13r1SR42). It can be used by security sensitive customers to decide whether an update of the innovaphone structure is needed with a new Service Release.

Service Releases are planned for the second Monday each month.

Please see the disclaimer before using the information presented here!

Security 13r1

13r1 Service Release 41 (133121)

127224 - App Events: Do not broadcast syslog messages on not authenticated WebSocket connections

Syslog messages delivered to the Events instance were sent over WebSocket connections that were not authenticated via AppLogin. Reported by trizwo GmbH IT & Communication,

For more details: <a href="" target="_blank"></a>

13r1 Service Release 43 (133128)

131497 - Advanced UI: Prevent XSL injection

The servlets for the advanced UI accept an "xsl" URL paramter that specifies the XSLT file for displaying the corresponding page.

Before this fix it was possible to specify a DATA URL containing a malicious style sheet that could be used for phishing attacks.

After this fix no values containing a colon are allowed, like:

  • xsl=data:...
  • xsl=data%3A...
  • xsl=data%3a...
  • xsl=javascript%3A...
  • xsl=http%3A...
  • ...

So only the pre-defined style sheets from the box are allowed.

Reported by trizwo GmbH IT & Communication,

13r1 Service Release 45 (133139)