[
https://issues.apache.org/jira/browse/QPID-8675?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tomas Vavricka updated QPID-8675:
---------------------------------
Description:
Indraneel Dey reported on [mailing
list|https://lists.apache.org/thread/mgok3h4cpplod35wv83v9348gfxsd760]:
{quote}Hello,
Our application uses QPID Broker-J and one of our users recently made us
aware of an XSS vulnerability. The application seems to be vulnerable to a
"reflected XSS attack" for the Management channel.
Sending a request in the form of
"
Unknown macro: \{management-endpoint}
/some-script-containing-alert" results in a response
of the form of "Unknown path 'some-script-containing-alert'. Please read
the api docs at ...". The part of the URL, "some-script-containing-alert",
can contain any malicious script which is reflected in the response as is,
and can be exploited for an XSS attack.
I looked at QPID-6022 but the fix therein seems to have been insufficient.
It seems that similar fixes are also required in following files for both
"Unknown File" and "Unknown Path":
*
broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/RootServlet.java
*
broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/DefinedFileServlet.java
Thank you for your attention to this matter
regards,
Indraneel Dey
{quote}
*Implementation*
The class DefinedFileServlet doesn't seem to be used in broker code and could
be deleted.
In class RootServlet the error message should escape text replacing the
characters >, <, &, " and ' to appropriate escaped entities.
was:
Indraneel Dey reported on [mailing
list|https://lists.apache.org/thread/mgok3h4cpplod35wv83v9348gfxsd760]:
{quote}Hello,
Our application uses QPID Broker-J and one of our users recently made us
aware of an XSS vulnerability. The application seems to be vulnerable to a
"reflected XSS attack" for the Management channel.
Sending a request in the form of
"
Unknown macro: \{management-endpoint}
/some-script-containing-alert" results in a response
of the form of "Unknown path 'some-script-containing-alert'. Please read
the api docs at ...". The part of the URL, "some-script-containing-alert",
can contain any malicious script which is reflected in the response as is,
and can be exploited for an XSS attack.
I looked at QPID-6022 but the fix therein seems to have been insufficient.
It seems that similar fixes are also required in following files for both
"Unknown File" and "Unknown Path":
*
broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/RootServlet.java
*
broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/DefinedFileServlet.java
Thank you for your attention to this matter
regards,
Indraneel Dey
{quote}
> [Broker-J] XSS vulnerability in path
> ------------------------------------
>
> Key: QPID-8675
> URL: https://issues.apache.org/jira/browse/QPID-8675
> Project: Qpid
> Issue Type: Bug
> Components: Broker-J
> Affects Versions: qpid-java-broker-8.0.6, qpid-java-broker-9.0.0,
> qpid-java-broker-9.1.0, qpid-java-broker-9.2.0
> Reporter: Tomas Vavricka
> Priority: Major
> Fix For: qpid-java-broker-9.2.1
>
>
> Indraneel Dey reported on [mailing
> list|https://lists.apache.org/thread/mgok3h4cpplod35wv83v9348gfxsd760]:
> {quote}Hello,
> Our application uses QPID Broker-J and one of our users recently made us
> aware of an XSS vulnerability. The application seems to be vulnerable to a
> "reflected XSS attack" for the Management channel.
> Sending a request in the form of
> "
> Unknown macro: \{management-endpoint}
> /some-script-containing-alert" results in a response
> of the form of "Unknown path 'some-script-containing-alert'. Please read
> the api docs at ...". The part of the URL, "some-script-containing-alert",
> can contain any malicious script which is reflected in the response as is,
> and can be exploited for an XSS attack.
> I looked at QPID-6022 but the fix therein seems to have been insufficient.
> It seems that similar fixes are also required in following files for both
> "Unknown File" and "Unknown Path":
> *
> broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/RootServlet.java
> *
> broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/DefinedFileServlet.java
> Thank you for your attention to this matter
> regards,
> Indraneel Dey
> {quote}
> *Implementation*
> The class DefinedFileServlet doesn't seem to be used in broker code and could
> be deleted.
> In class RootServlet the error message should escape text replacing the
> characters >, <, &, " and ' to appropriate escaped entities.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
