Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-2788

Directory Traversal Vulnerability

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.3.1, 5.3.2
    • 5.4.0
    • None
    • None

    • Windows

    Description

      Due to vulnerability in Jetty's ResourceHandler (http://jira.codehaus.org/browse/JETTY-1004), ActiveMQ installations on Windows are prone to this vulnerability. For example you can see the README file by entering the following url: http://localhost:8161/\../\../README.txt

      This is solved by moving to 7.x Jetty version on trunk and upcoming 5.4.0 release.

      People affected with this issue should either upgrade manually to Jetty 6.1.17 or remove resource handler declaration by commenting out or deleting the following snippet from jetty.xml:

      <bean class="org.mortbay.jetty.handler.ContextHandler">
      <property name="contextPath" value="/"/>
      <property name="handler">
      <bean class="org.mortbay.jetty.handler.ResourceHandler">
      <property name="welcomeFiles">
      <list>
      <value>index.html</value>
      </list>
      </property>
      <property name="resourceBase" value="${activemq.base}/webapps/static/"/>
      </bean>
      </property>
      </bean>

      Attachments

        Activity

          People

            dejanb Dejan Bosanac
            dejanb Dejan Bosanac
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: