ActiveMQ
  1. ActiveMQ
  2. AMQ-2625

Persistent Cross-site Scripting in /createDesitnation.action [JMSDestination parameter]

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 5.3.0
    • Fix Version/s: 5.3.1, 5.4.0
    • Component/s: None
    • Labels:
      None
    • Environment:

      Linux environment.

      Description

      GET /createDestination.action?JMSDestinationType=queue&JMSDestination=%22%3E%3Cscript%3Ealert%28%22persistent%20XSS%22%29%3C%2fscript%3E
      This GET request creates a queue name that has malformed queue name due to lack of input validation. After sending this request a sample of the effect can be seen by browsing to /queues.jsp and clicking on the "Home" link.
      I do not know the affected version information yet. Is there some way I can find it?
      Additionally, this is vulnerable to cross-site request forgery as well but XSS is a more critical bug than XSRF (at least at this point for me I guess).


      CVE Identifier issued for this:
      CVE-2010-0684

        Activity

        rajat created issue -
        rajat made changes -
        Field Original Value New Value
        Status Open [ 1 ] Closed [ 6 ]
        Resolution Fixed [ 1 ]
        Jeff Turner made changes -
        Project Import Fri Nov 26 22:32:02 EST 2010 [ 1290828722158 ]

          People

          • Assignee:
            Dejan Bosanac
            Reporter:
            rajat
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development