Tomas Vavricka created QPID-8675: ------------------------------------ Summary: [Broker-J] XSS vulnerability in path Key: QPID-8675 URL: https://issues.apache.org/jira/browse/QPID-8675 Project: Qpid Issue Type: Bug Components: Broker-J Affects Versions: qpid-java-broker-9.2.0 Reporter: Tomas Vavricka Fix For: qpid-java-broker-9.2.1
Indraneel Dey reported on mailing list (https://lists.apache.org/thread/mgok3h4cpplod35wv83v9348gfxsd760): {quote}Hello, Our application uses QPID Broker-J and one of our users recently made us aware of an XSS vulnerability. The application seems to be vulnerable to a "reflected XSS attack" for the Management channel. Sending a request in the form of " Unknown macro: \{management-endpoint} /some-script-containing-alert" results in a response of the form of "Unknown path 'some-script-containing-alert'. Please read the api docs at ...". The part of the URL, "some-script-containing-alert", can contain any malicious script which is reflected in the response as is, and can be exploited for an XSS attack. I looked at QPID-6022 but the fix therein seems to have been insufficient. It seems that similar fixes are also required in following files for both "Unknown File" and "Unknown Path": * broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/RootServlet.java * broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/DefinedFileServlet.java Thank you for your attention to this matter regards, Indraneel Dey {quote} -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org