[AMQ-2613] Persistent Cross-site Scripting in /createDesitnation.action [JMSDestination parameter] - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 5.3.0
Fix Version/s: 5.3.1, 5.4.0
Component/s: None
Labels:
None
Environment:

Linux environment.

Description

GET /createDestination.action?JMSDestinationType=queue&JMSDestination=%22%3E%3Cscript%3Ealert%28%22persistent%20XSS%22%29%3C%2fscript%3E
This GET request creates a queue name that has malformed queue name due to lack of input validation. After sending this request a sample of the effect can be seen by browsing to /queues.jsp and clicking on the "Home" link.
I do not know the affected version information yet. Is there some way I can find it?
Additionally, this is vulnerable to cross-site request forgery as well but XSS is a more critical bug than XSRF (at least at this point for me I guess).

CVE Identifier issued for this:
CVE-2010-0684

Attachments

Activity

People

Assignee:: Dejan Bosanac

Reporter:: rajat

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 17/Feb/10 19:22

Updated:: 08/Apr/10 09:21

Resolved:: 08/Apr/10 09:21