Hi, Thanks for reporting. I created QPID-8675 JIRA to address the issue.
https://issues.apache.org/jira/browse/QPID-8675 Regards, Tomas On 2024/07/08 18:02:46 Indraneel Dey wrote: > Hello, > > Our application uses QPID Broker-J and one of our users recently made us > aware of an XSS vulnerability. The application seems to be vulnerable to a > "reflected XSS attack" for the Management channel. > > Sending a request in the form of > "{management-endpoint}/some-script-containing-alert" results in a response > of the form of "Unknown path 'some-script-containing-alert'. Please read > the api docs at ...". The part of the URL, "some-script-containing-alert", > can contain any malicious script which is reflected in the response as is, > and can be exploited for an XSS attack. > > I looked at QPID-6022 but the fix therein seems to have been insufficient. > It seems that similar fixes are also required in following files for both > "Unknown File" and "Unknown Path": > > * > broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/RootServlet.java > * > broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/DefinedFileServlet.java > > Thank you for your attention to this matter > > regards, > Indraneel Dey > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
