Tomas Vavricka created QPID-8675:
------------------------------------
Summary: [Broker-J] XSS vulnerability in path
Key: QPID-8675
URL: https://issues.apache.org/jira/browse/QPID-8675
Project: Qpid
Issue Type: Bug
Components: Broker-J
Affects Versions: qpid-java-broker-9.2.0
Reporter: Tomas Vavricka
Fix For: qpid-java-broker-9.2.1
Indraneel Dey reported on mailing list
(https://lists.apache.org/thread/mgok3h4cpplod35wv83v9348gfxsd760):
{quote}Hello,
Our application uses QPID Broker-J and one of our users recently made us
aware of an XSS vulnerability. The application seems to be vulnerable to a
"reflected XSS attack" for the Management channel.
Sending a request in the form of
"
Unknown macro: \{management-endpoint}
/some-script-containing-alert" results in a response
of the form of "Unknown path 'some-script-containing-alert'. Please read
the api docs at ...". The part of the URL, "some-script-containing-alert",
can contain any malicious script which is reflected in the response as is,
and can be exploited for an XSS attack.
I looked at QPID-6022 but the fix therein seems to have been insufficient.
It seems that similar fixes are also required in following files for both
"Unknown File" and "Unknown Path":
*
broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/RootServlet.java
*
broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/DefinedFileServlet.java
Thank you for your attention to this matter
regards,
Indraneel Dey
{quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
