Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-8431

Security issue for all admin vaadin applications exposed as OSGI Service

    XMLWordPrintable

    Details

    • Sprint:
      Horizon - July 5th, Horizon - July 12th, Horizon - July 26th

      Description

       
      Usually the Vaadin Applications are embedded as an iframe.
      If you know the embedded url, you can get access to the application even if you are not authorized.
       
      Example:
      Login to demo.opennms.org with the demo user
      Go to the following page: demo.opennms.org/opennms/osgi/jmx-config-tool
       
      TADA you now have access to a restricted area.
       
      Basically all osgi deployed applications are bridged AND accessible via /osgi/.
       
       

        Attachments

          Activity

            People

            Assignee:
            mvr Markus von Rüden
            Reporter:
            mvr Markus von Rüden
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: