ActiveMQ
  1. ActiveMQ
  2. AMQ-2613

Persistent Cross-site Scripting in /createDesitnation.action [JMSDestination parameter]

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 5.3.0
    • Fix Version/s: 5.3.1, 5.4.0
    • Component/s: None
    • Labels:
      None
    • Environment:

      Linux environment.

      Description

      GET /createDestination.action?JMSDestinationType=queue&JMSDestination=%22%3E%3Cscript%3Ealert%28%22persistent%20XSS%22%29%3C%2fscript%3E
      This GET request creates a queue name that has malformed queue name due to lack of input validation. After sending this request a sample of the effect can be seen by browsing to /queues.jsp and clicking on the "Home" link.
      I do not know the affected version information yet. Is there some way I can find it?
      Additionally, this is vulnerable to cross-site request forgery as well but XSS is a more critical bug than XSRF (at least at this point for me I guess).


      CVE Identifier issued for this:
      CVE-2010-0684

        Activity

        Hide
        Dejan Bosanac added a comment -

        No worries James, I'm glad it's really fixed. Cheers

        Show
        Dejan Bosanac added a comment - No worries James, I'm glad it's really fixed. Cheers
        Hide
        James C added a comment -

        Dejan,

        my mistake, activemq was picking up an old config file during my tests. I confirm this now looks fixed.

        I think you can close it now (again !)

        thanks,

        James.

        Show
        James C added a comment - Dejan, my mistake, activemq was picking up an old config file during my tests. I confirm this now looks fixed. I think you can close it now (again !) thanks, James.
        Hide
        Dejan Bosanac added a comment -

        Hi James,

        I just tried to reproduce it, but it seems all fine from here. What are you seeing as a result?

        Cheers,
        Dejan

        Show
        Dejan Bosanac added a comment - Hi James, I just tried to reproduce it, but it seems all fine from here. What are you seeing as a result? Cheers, Dejan
        Hide
        James C added a comment -

        Dejan,

        I just checked on the latest 5.4 snapshot (Thu Apr 08 04:00:00). The first issue is fixed, but the second one (sending a message with correlationID containing script) still occurs.

        cheers,

        James.

        Show
        James C added a comment - Dejan, I just checked on the latest 5.4 snapshot (Thu Apr 08 04:00:00). The first issue is fixed, but the second one (sending a message with correlationID containing script) still occurs. cheers, James.
        Hide
        Dejan Bosanac added a comment -

        Fixed in svn revision 931552

        Thanks for reporting this. I did some more sanitation and hopefully everything is covered now.

        Show
        Dejan Bosanac added a comment - Fixed in svn revision 931552 Thanks for reporting this. I did some more sanitation and hopefully everything is covered now.
        Hide
        Romain Wartel added a comment -

        Joe is correct.

        Also, for the permanent XSS, "correlation ID" is not the only vulnerable variable. "Reply To ", "Type", etc. are vulnerable.

        It is important to sanitise user input in general, not just for the variables that are being reported here.

        Show
        Romain Wartel added a comment - Joe is correct. Also, for the permanent XSS, "correlation ID" is not the only vulnerable variable. "Reply To ", "Type", etc. are vulnerable. It is important to sanitise user input in general, not just for the variables that are being reported here.
        Hide
        Joe Luo added a comment -

        It looks like there are some new unpatched vunerabilities. Taking a release apache-activemq 5.3.1, installing it and navigating to :

        http://localhost:8161/admin/connection.jsp?connectionID=%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E

        you see an non-permanent XSS vunerability

        For a permanent XSS vunerability do the following:

        1) On web console go to the 'send' page:

        set:

        • destination : "foo"
        • correlation ID field to "<script>alert('Vunerable to XSS!');</script>"

        2) go to the queue browser page page for queue "foo" - you get an XSS attack

        Show
        Joe Luo added a comment - It looks like there are some new unpatched vunerabilities. Taking a release apache-activemq 5.3.1, installing it and navigating to : http://localhost:8161/admin/connection.jsp?connectionID=%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E you see an non-permanent XSS vunerability For a permanent XSS vunerability do the following: 1) On web console go to the 'send' page: set: destination : "foo" correlation ID field to "<script>alert('Vunerable to XSS!');</script>" 2) go to the queue browser page page for queue "foo" - you get an XSS attack
        Hide
        Dejan Bosanac added a comment -

        Fixed with svn revision 915384 and merged into 5.3 branch.

        The web console should now be immune to XSS and CSRF attacks. First ones are fixed by sanitizing the output. The CSRF attacks are prevented by sending a secret to the form and checking it before modifying results. Also, POST method is forced where it is applicable.

        Show
        Dejan Bosanac added a comment - Fixed with svn revision 915384 and merged into 5.3 branch. The web console should now be immune to XSS and CSRF attacks. First ones are fixed by sanitizing the output. The CSRF attacks are prevented by sending a secret to the form and checking it before modifying results. Also, POST method is forced where it is applicable.
        Hide
        rajat added a comment -

        Two issues:

        • XSS
        • XSRF/CSRF
        Show
        rajat added a comment - Two issues: XSS XSRF/CSRF

          People

          • Assignee:
            Dejan Bosanac
            Reporter:
            rajat
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development