[jira] [Work logged] (AMQ-7231) XSS in webconsole

Fri, 24 Jan 2020 11:16:27 -0800 


     [ 
https://issues.apache.org/jira/browse/AMQ-7231?focusedWorklogId=376997&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-376997
 ]

ASF GitHub Bot logged work on AMQ-7231:
---------------------------------------

                Author: ASF GitHub Bot
            Created on: 24/Jan/20 19:15
            Start Date: 24/Jan/20 19:15
    Worklog Time Spent: 10m 
      Work Description: coheigea commented on pull request #429: AMQ-7231 - Fix 
XSS in WebConsole
URL: https://github.com/apache/activemq/pull/429
 
 
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

            Worklog Id:     (was: 376997)
    Remaining Estimate: 0h
            Time Spent: 10m

> XSS in webconsole
> -----------------
>
>                 Key: AMQ-7231
>                 URL: https://issues.apache.org/jira/browse/AMQ-7231
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Web Console
>    Affects Versions: 5.15.6
>            Reporter: Torbjørn Skyberg Knutsen
>            Assignee: Colm O hEigeartaigh
>            Priority: Critical
>             Fix For: 5.16.0, 5.15.12
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> The admin GUI is very much open to XSS, in the view that lists the contents 
> of a queue. 
> Using Camel, here is the code required to make the GUI run JavaScript-code:
> {code:java}
> messageQueue.sendBodyAndHeader("activemq:hack", "body", "hack", 
> "hello}\"><script>alert('XSS :(');</script>");
> {code}
> This also happens when you have a header containing xml, where an element 
> holds an attribute:
> {code:java}
> messageQueue.sendBodyAndHeader("activemq:hack", "body", "hack", "<Something 
> something=\"something\">hello</noe>><script>alert('XSS :(');</script>");
> {code}
> Seems to be due to how the title of the message is generated. This last one 
> also messes up the way a message is displayed in the list, since it will 
> start displaying the xml content after the attribute as HTML.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to