I don’t know if there is anything broken. I understood there seems to be a vulnerability for js injection… I can ask more info on what this person has done to get the error 5xx when attempting to conduct a js injection?
Anything in the logs?
So… trying to enter an js/SQL injection in the searchfield on the top left introduces a “500 internal server error”
Would this be a risk that needs attention?
Thank you for the screenshot, I used it for reproducing the problem
For sure is not a risk: the demo is NO a NethServer. It’s just mock machine running on docker. Basically it’s only the web interface. You have the same error even if you type something normal on the search filter (like “mail”).
in the searchbox of a live NethServer. There was no visual return. I could not find any reference to the faulty input in /var/log/messages nor in /var/log/httpd-admin/error_log or /var/log/httpd-admin/access_log
Logs might not log POST commands which we are probably talking about. I assume some ajax code is used to return a lot of entries one might look for just like google does.
Logging POST command can be very useful but also take up a lot of space in the database or logfiles itself.
What is happening here , at the demoserver, is probably a waf that is returning a 5xx instead of a 4xx which should be a proper respons. A 5xx is a real server problem.
If you want a real report of what might be wrong with the product you can either try to get someone with a payed solution to scan the software or use some oss products that might give more details but only in plain text, no fancy manager stuff
I did work with both products but if you start to use it then be prepared to use it as a continous check that will keep people informed.