Uploaded image for project: 'ActiveMQ'
  1. ActiveMQ
  2. AMQ-7231

XSS in webconsole

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 5.15.6
    • Fix Version/s: 5.16.0, 5.15.12
    • Component/s: Web Console
    • Labels:
      None

      Description

      The admin GUI is very much open to XSS, in the view that lists the contents of a queue. 

      Using Camel, here is the code required to make the GUI run JavaScript-code:

      messageQueue.sendBodyAndHeader("activemq:hack", "body", "hack", "hello}\"><script>alert('XSS :(');</script>");
      

      This also happens when you have a header containing xml, where an element holds an attribute:

      messageQueue.sendBodyAndHeader("activemq:hack", "body", "hack", "<Something something=\"something\">hello</noe>><script>alert('XSS :(');</script>");
      

      Seems to be due to how the title of the message is generated. This last one also messes up the way a message is displayed in the list, since it will start displaying the xml content after the attribute as HTML.

        Attachments

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              tobb Torbjørn Skyberg Knutsen
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 20m
                20m