[jira] [Commented] (CAMEL-3991) Bad href links generated for certain endpoint uris in camel-web

Fri, 03 Jun 2011 18:49:44 -0700 

    [ 
https://issues.apache.org/jira/browse/CAMEL-3991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13044165#comment-13044165
 ] 

Hadrian Zbarcea commented on CAMEL-3991:
----------------------------------------

This issue is a potential XSS vulnerability discovered by Sow Ching Shiong and 
reported by Secunia (secunia.com). Please find below the original report:

{quote}
We have received a vulnerability report from a third-party researcher (Sow
Ching Shiong) regarding a cross-site scripting vulnerability in Apache Camel
and contact you on his behalf to attempt a coordinated disclosure.

Please see the vulnerability details below.

We have confirmed the vulnerability in version 2.7.0.

We have reserved Secunia Advisory SA44415 and set a preliminary release date
of 25th May, 2011 for the publication of our advisory. We are, of course,
prepared to postpone this date in case you need more time to address the
vulnerability, as long as you keep us updated on the status.

Also, don't hesitate to contact us in case you have any comments or
questions.

Details:

Input passed via the URL to "camel/endpoints/<endpoint>" is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.


PoC from the reporter:

==
http://localhost:8161/camel/endpoints/mock:someName<iframe
src="javascript:alert('Stored XSS')"

For Stored XSS, please visit
http://localhost:8161/camel/endpoints again to trigger it.
{quote}

> Bad href links generated for certain endpoint uris in camel-web
> ---------------------------------------------------------------
>
>                 Key: CAMEL-3991
>                 URL: https://issues.apache.org/jira/browse/CAMEL-3991
>             Project: Camel
>          Issue Type: Bug
>          Components: camel-web
>    Affects Versions: 2.7.1
>            Reporter: Hadrian Zbarcea
>            Assignee: Hadrian Zbarcea
>             Fix For: 2.7.2, 2.8.0
>
>
> When new Endpoints are created via camel-web, some endpoint uris result in 
> bad href links generated for the endpoint page.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to