Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-7465

Xerver Double Slash Authentication Bypass detected on ActiveMQ directory

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 5.14.5
    • 5.16.0, 5.15.13
    • Security/JAAS
    • None

    Description

      Xerver Double Slash Authentication Bypass detected on ActiveMQ directory.

      The version of Xerver installed on the remote host is affected by an authentication bypass vulnerability. It is possible to access protected web directories without authentication by prepending the directory with an extra '/'character, as long as the directory is not recursively protected.
      A remote, unauthenticated attacker can leverage this issue to gain access to protected web directories.

      Nessus was able to reproduce the issue using the following URL :
      https://seliiuapp11022.seli.gic.ericsson.se:8162//admin/

      We have assigned 8162 port for activemq GUI in our applications

      Attachments

        Activity

          People

            jbonofre Jean-Baptiste Onofré
            xvanbha Bhavana
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 20m
                20m