[jira] [Commented] (AMQ-7465) Xerver Double Slash Authentication Bypass detected on ActiveMQ directory
[ https://issues.apache.org/jira/browse/AMQ-7465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17114542#comment-17114542 ] ASF subversion and git services commented on AMQ-7465: -- Commit 9ac781592558cc69ce070b84ff268c48b5ef7981 in activemq's branch refs/heads/activemq-5.15.x from jbonofre [ https://gitbox.apache.org/repos/asf?p=activemq.git;h=9ac7815 ] [AMQ-7465] Protect any webconsole URL by default (cherry picked from commit 93c245b8ec16849994f2cd4bb4a4b0bb73086ed1) > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory > > > Key: AMQ-7465 > URL: https://issues.apache.org/jira/browse/AMQ-7465 > Project: ActiveMQ > Issue Type: Bug > Components: Security/JAAS >Affects Versions: 5.14.5 >Reporter: Bhavana >Assignee: Jean-Baptiste Onofré >Priority: Critical > Fix For: 5.16.0, 5.15.13 > > Time Spent: 20m > Remaining Estimate: 0h > > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory. > The version of Xerver installed on the remote host is affected by an > authentication bypass vulnerability. It is possible to access protected web > directories without authentication by prepending the directory with an extra > '/'character, as long as the directory is not recursively protected. > A remote, unauthenticated attacker can leverage this issue to gain access to > protected web directories. > Nessus was able to reproduce the issue using the following URL : > [https://seliiuapp11022.seli.gic.ericsson.se:8162//admin/] > We have assigned 8162 port for activemq GUI in our applications -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7465) Xerver Double Slash Authentication Bypass detected on ActiveMQ directory
[ https://issues.apache.org/jira/browse/AMQ-7465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17114527#comment-17114527 ] ASF subversion and git services commented on AMQ-7465: -- Commit 93c245b8ec16849994f2cd4bb4a4b0bb73086ed1 in activemq's branch refs/heads/master from jbonofre [ https://gitbox.apache.org/repos/asf?p=activemq.git;h=93c245b ] [AMQ-7465] Protect any webconsole URL by default > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory > > > Key: AMQ-7465 > URL: https://issues.apache.org/jira/browse/AMQ-7465 > Project: ActiveMQ > Issue Type: Bug > Components: Security/JAAS >Affects Versions: 5.14.5 >Reporter: Bhavana >Assignee: Jean-Baptiste Onofré >Priority: Critical > Fix For: 5.16.0, 5.15.13 > > Time Spent: 10m > Remaining Estimate: 0h > > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory. > The version of Xerver installed on the remote host is affected by an > authentication bypass vulnerability. It is possible to access protected web > directories without authentication by prepending the directory with an extra > '/'character, as long as the directory is not recursively protected. > A remote, unauthenticated attacker can leverage this issue to gain access to > protected web directories. > Nessus was able to reproduce the issue using the following URL : > [https://seliiuapp11022.seli.gic.ericsson.se:8162//admin/] > We have assigned 8162 port for activemq GUI in our applications -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7465) Xerver Double Slash Authentication Bypass detected on ActiveMQ directory
[ https://issues.apache.org/jira/browse/AMQ-7465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17114529#comment-17114529 ] ASF subversion and git services commented on AMQ-7465: -- Commit e97322bddb06523981046f49225160a2b4347c3d in activemq's branch refs/heads/master from Jean-Baptiste Onofré [ https://gitbox.apache.org/repos/asf?p=activemq.git;h=e97322b ] Merge pull request #537 from jbonofre/AMQ-7465 [AMQ-7465] Protect any webconsole URL by default > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory > > > Key: AMQ-7465 > URL: https://issues.apache.org/jira/browse/AMQ-7465 > Project: ActiveMQ > Issue Type: Bug > Components: Security/JAAS >Affects Versions: 5.14.5 >Reporter: Bhavana >Assignee: Jean-Baptiste Onofré >Priority: Critical > Fix For: 5.16.0, 5.15.13 > > Time Spent: 10m > Remaining Estimate: 0h > > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory. > The version of Xerver installed on the remote host is affected by an > authentication bypass vulnerability. It is possible to access protected web > directories without authentication by prepending the directory with an extra > '/'character, as long as the directory is not recursively protected. > A remote, unauthenticated attacker can leverage this issue to gain access to > protected web directories. > Nessus was able to reproduce the issue using the following URL : > [https://seliiuapp11022.seli.gic.ericsson.se:8162//admin/] > We have assigned 8162 port for activemq GUI in our applications -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7465) Xerver Double Slash Authentication Bypass detected on ActiveMQ directory
[ https://issues.apache.org/jira/browse/AMQ-7465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17114528#comment-17114528 ] ASF subversion and git services commented on AMQ-7465: -- Commit e97322bddb06523981046f49225160a2b4347c3d in activemq's branch refs/heads/master from Jean-Baptiste Onofré [ https://gitbox.apache.org/repos/asf?p=activemq.git;h=e97322b ] Merge pull request #537 from jbonofre/AMQ-7465 [AMQ-7465] Protect any webconsole URL by default > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory > > > Key: AMQ-7465 > URL: https://issues.apache.org/jira/browse/AMQ-7465 > Project: ActiveMQ > Issue Type: Bug > Components: Security/JAAS >Affects Versions: 5.14.5 >Reporter: Bhavana >Assignee: Jean-Baptiste Onofré >Priority: Critical > Fix For: 5.16.0, 5.15.13 > > Time Spent: 10m > Remaining Estimate: 0h > > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory. > The version of Xerver installed on the remote host is affected by an > authentication bypass vulnerability. It is possible to access protected web > directories without authentication by prepending the directory with an extra > '/'character, as long as the directory is not recursively protected. > A remote, unauthenticated attacker can leverage this issue to gain access to > protected web directories. > Nessus was able to reproduce the issue using the following URL : > [https://seliiuapp11022.seli.gic.ericsson.se:8162//admin/] > We have assigned 8162 port for activemq GUI in our applications -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7465) Xerver Double Slash Authentication Bypass detected on ActiveMQ directory
[ https://issues.apache.org/jira/browse/AMQ-7465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17112971#comment-17112971 ] Jean-Baptiste Onofré commented on AMQ-7465: --- See my change on [https://github.com/apache/activemq/pull/537] I think it's what you are looking for. > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory > > > Key: AMQ-7465 > URL: https://issues.apache.org/jira/browse/AMQ-7465 > Project: ActiveMQ > Issue Type: Bug > Components: Security/JAAS >Affects Versions: 5.14.5 >Reporter: Bhavana >Assignee: Jean-Baptiste Onofré >Priority: Critical > Fix For: 5.16.0, 5.15.13 > > Time Spent: 10m > Remaining Estimate: 0h > > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory. > The version of Xerver installed on the remote host is affected by an > authentication bypass vulnerability. It is possible to access protected web > directories without authentication by prepending the directory with an extra > '/'character, as long as the directory is not recursively protected. > A remote, unauthenticated attacker can leverage this issue to gain access to > protected web directories. > Nessus was able to reproduce the issue using the following URL : > [https://seliiuapp11022.seli.gic.ericsson.se:8162//admin/] > We have assigned 8162 port for activemq GUI in our applications -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7465) Xerver Double Slash Authentication Bypass detected on ActiveMQ directory
[ https://issues.apache.org/jira/browse/AMQ-7465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17112966#comment-17112966 ] Jean-Baptiste Onofré commented on AMQ-7465: --- I'm doing this change by default just in case. > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory > > > Key: AMQ-7465 > URL: https://issues.apache.org/jira/browse/AMQ-7465 > Project: ActiveMQ > Issue Type: Bug > Components: Security/JAAS >Affects Versions: 5.14.5 >Reporter: Bhavana >Assignee: Jean-Baptiste Onofré >Priority: Critical > Fix For: 5.16.0, 5.15.13 > > > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory. > The version of Xerver installed on the remote host is affected by an > authentication bypass vulnerability. It is possible to access protected web > directories without authentication by prepending the directory with an extra > '/'character, as long as the directory is not recursively protected. > A remote, unauthenticated attacker can leverage this issue to gain access to > protected web directories. > Nessus was able to reproduce the issue using the following URL : > [https://seliiuapp11022.seli.gic.ericsson.se:8162//admin/] > We have assigned 8162 port for activemq GUI in our applications -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7465) Xerver Double Slash Authentication Bypass detected on ActiveMQ directory
[
https://issues.apache.org/jira/browse/AMQ-7465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17112965#comment-17112965
]
Jean-Baptiste Onofré commented on AMQ-7465:
---
Anyway, you can fully protect any URL by doing this change in
{{conf/jetty.xml}}:
{code:java}
{code}
> Xerver Double Slash Authentication Bypass detected on ActiveMQ directory
>
>
> Key: AMQ-7465
> URL: https://issues.apache.org/jira/browse/AMQ-7465
> Project: ActiveMQ
> Issue Type: Bug
> Components: Security/JAAS
>Affects Versions: 5.14.5
>Reporter: Bhavana
>Assignee: Jean-Baptiste Onofré
>Priority: Critical
> Fix For: 5.16.0, 5.15.13
>
>
> Xerver Double Slash Authentication Bypass detected on ActiveMQ directory.
> The version of Xerver installed on the remote host is affected by an
> authentication bypass vulnerability. It is possible to access protected web
> directories without authentication by prepending the directory with an extra
> '/'character, as long as the directory is not recursively protected.
> A remote, unauthenticated attacker can leverage this issue to gain access to
> protected web directories.
> Nessus was able to reproduce the issue using the following URL :
> [https://seliiuapp11022.seli.gic.ericsson.se:8162//admin/]
> We have assigned 8162 port for activemq GUI in our applications
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (AMQ-7465) Xerver Double Slash Authentication Bypass detected on ActiveMQ directory
[ https://issues.apache.org/jira/browse/AMQ-7465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17112933#comment-17112933 ] Jean-Baptiste Onofré commented on AMQ-7465: --- Just a note: there's no "web directory" in ActiveMQ console, only jsp and protected. So I don't see any issue there. Do you have an example of URL where you see a problem ? > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory > > > Key: AMQ-7465 > URL: https://issues.apache.org/jira/browse/AMQ-7465 > Project: ActiveMQ > Issue Type: Bug > Components: Security/JAAS >Affects Versions: 5.14.5 >Reporter: Bhavana >Assignee: Jean-Baptiste Onofré >Priority: Critical > Fix For: 5.16.0, 5.15.13 > > > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory. > The version of Xerver installed on the remote host is affected by an > authentication bypass vulnerability. It is possible to access protected web > directories without authentication by prepending the directory with an extra > '/'character, as long as the directory is not recursively protected. > A remote, unauthenticated attacker can leverage this issue to gain access to > protected web directories. > Nessus was able to reproduce the issue using the following URL : > [https://seliiuapp11022.seli.gic.ericsson.se:8162//admin/] > We have assigned 8162 port for activemq GUI in our applications -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7465) Xerver Double Slash Authentication Bypass detected on ActiveMQ directory
[ https://issues.apache.org/jira/browse/AMQ-7465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17112932#comment-17112932 ] Jean-Baptiste Onofré commented on AMQ-7465: --- I don't understand the issue. I tried this URL: [http://localhost:8161//admin] and I got a 404 (which is correct) with ActiveMQ 5.15.13-SNAPSHOT and 5.14.5. Can you elaborate where is the security issue here ? > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory > > > Key: AMQ-7465 > URL: https://issues.apache.org/jira/browse/AMQ-7465 > Project: ActiveMQ > Issue Type: Bug > Components: Security/JAAS >Affects Versions: 5.14.5 >Reporter: Bhavana >Assignee: Jean-Baptiste Onofré >Priority: Critical > Fix For: 5.16.0, 5.15.13 > > > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory. > The version of Xerver installed on the remote host is affected by an > authentication bypass vulnerability. It is possible to access protected web > directories without authentication by prepending the directory with an extra > '/'character, as long as the directory is not recursively protected. > A remote, unauthenticated attacker can leverage this issue to gain access to > protected web directories. > Nessus was able to reproduce the issue using the following URL : > [https://seliiuapp11022.seli.gic.ericsson.se:8162//admin/] > We have assigned 8162 port for activemq GUI in our applications -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (AMQ-7465) Xerver Double Slash Authentication Bypass detected on ActiveMQ directory
[ https://issues.apache.org/jira/browse/AMQ-7465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17082213#comment-17082213 ] Bhavana commented on AMQ-7465: -- Above security vulnerability is detected in our server during the nesus scan. We are using 8162 port in our application.Could you please suggest us how to fix this issue. > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory > > > Key: AMQ-7465 > URL: https://issues.apache.org/jira/browse/AMQ-7465 > Project: ActiveMQ > Issue Type: Bug > Components: Security/JAAS >Affects Versions: 5.14.5 >Reporter: Bhavana >Priority: Critical > > Xerver Double Slash Authentication Bypass detected on ActiveMQ directory. > The version of Xerver installed on the remote host is affected by an > authentication bypass vulnerability. It is possible to access protected web > directories without authentication by prepending the directory with an extra > '/'character, as long as the directory is not recursively protected. > A remote, unauthenticated attacker can leverage this issue to gain access to > protected web directories. > Nessus was able to reproduce the issue using the following URL : > [https://seliiuapp11022.seli.gic.ericsson.se:8162//admin/] > We have assigned 8162 port for activemq GUI in our applications -- This message was sent by Atlassian Jira (v8.3.4#803005)
