Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
5.3.1, 5.3.2
-
None
-
None
-
Windows
Description
Due to vulnerability in Jetty's ResourceHandler (http://jira.codehaus.org/browse/JETTY-1004), ActiveMQ installations on Windows are prone to this vulnerability. For example you can see the README file by entering the following url: http://localhost:8161/\../\../README.txt
This is solved by moving to 7.x Jetty version on trunk and upcoming 5.4.0 release.
People affected with this issue should either upgrade manually to Jetty 6.1.17 or remove resource handler declaration by commenting out or deleting the following snippet from jetty.xml:
<bean class="org.mortbay.jetty.handler.ContextHandler">
<property name="contextPath" value="/"/>
<property name="handler">
<bean class="org.mortbay.jetty.handler.ResourceHandler">
<property name="welcomeFiles">
<list>
<value>index.html</value>
</list>
</property>
<property name="resourceBase" value="${activemq.base}/webapps/static/"/>
</bean>
</property>
</bean>