Funnelback patch

  • Released: 2019-10-28

  • Applies to: v15.22.0

  • Internal reference: RNDSUPPORT-3079


  • Prevents XSS vulnerabilities found in the classic administration dashboard.

Affected files

  • lib/perl/Funnelback/

  • web/admin/delete-file.cgi

  • web/admin/download-conf.cgi

  • web/admin/edit-conf.cgi

  • web/admin/edit-form.cgi

  • web/admin/example-gui.cgi

  • web/admin/load-ctest.cgi

  • web/admin/publish.cgi

  • web/admin/restore-conf.cgi

  • web/admin/show-file.cgi

  • web/admin/show-monitor-log.cgi

  • web/admin/svn.cgi

  • web/admin/upload-conf.cgi


  • Stop the Jetty web server.

  • Deploy the provided files on top of an existing install, backing up all replaced files.

  • ( Run $SEARCH_HOME/bin/setup/ to regenerate service files from the templates. Please note that this will cause each Funnelback service to be restarted.

  • ( Reboot the Funnelback server to ensure systemd picks up the changes to the service files.

  • Start the Jetty web server if the server was not restarted.