[jira] [Commented] (AMQ-3345) Possible CSRF attack on 5.5

Wed, 01 Jun 2011 06:18:35 -0700 

    [ 
https://issues.apache.org/jira/browse/AMQ-3345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13042157#comment-13042157
 ] 

Javier Segura commented on AMQ-3345:
------------------------------------

We are using sun jre. Maybe is related to the SSH tunnel? This began to happen 
yesterday after the update from 5.4.1, all the other elements in the scenario 
(java vm, ssh forwarded port, machines, queues..) are the same.

> Possible CSRF attack on 5.5
> ---------------------------
>
>                 Key: AMQ-3345
>                 URL: https://issues.apache.org/jira/browse/AMQ-3345
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.5.0
>         Environment: Ubuntu server LTS 10.04.2
> Linux abertis 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 
> x86_64 GNU/Linux
> Java HotSpot(TM) 64-Bit Server VM (build 11.0-b15, mixed mode)
>            Reporter: Javier Segura
>              Labels: csrf
>
> When trying to purge the contents of any queue, I receive:
> 2011-06-01 11:28:31,103 | WARN  | /admin/queues.jsp | 
> org.eclipse.jetty.util.log | qtp85031456-16
> javax.el.ELException: java.lang.reflect.UndeclaredThrowableException
>         at 
> org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
>         at 
> org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
>         at 
> org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
>         at 
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
>         at 
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
>         at 
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
>         at 
> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
>         at 
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
>         at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
>         at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
>         at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at 
> org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
>         at 
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
>         at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at 
> org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
>         at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at 
> com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
>         at 
> com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
>         at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at 
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
>         at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
>         at 
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
>         at 
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
>         at 
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
>         at 
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
>         at 
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
>         at 
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
>         at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
>         at 
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
>         at 
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
>         at 
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
>         at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
>         at org.eclipse.jetty.server.Server.handle(Server.java:351)
>         at 
> org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
>         at 
> org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
>         at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
>         at 
> org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
>         at 
> org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
>         at 
> org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
>         at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
>         at java.lang.Thread.run(Thread.java:619)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to