lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7d04ec561003301053h1e76ca39q7371be557f94de21@mail.gmail.com>
Date: Tue, 30 Mar 2010 13:53:01 -0400
From: rajat swarup <rajats@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
	cve@...re.org
Subject: CVE-2010-0684: Apache ActiveMQ Persistent Cross-Site Scripting (XSS) 
	Vulnerability

CVE-2010-0684: Apache ActiveMQ Persistent Cross-Site Scripting (XSS)
Vulnerability
==============================================================

Security Advisory 03.30.2010

I. BACKGROUND

Apache ActiveMQ  is the most popular and powerful open source
messaging and Integration Patterns provider.

http://activemq.apache.org/

II. DESCRIPTION

Remote unauthenticated exploitation of an input validation
vulnerability in Apache Software Foundation's ActiveMQ server could
allow an attacker to perform a
stored or persistent cross-site scripting (XSS) attack.  The code
responsible for parsing HTTP requests is vulnerable to an XSS
vulnerability. When parsing the JMSDestination parameter from a GET
request to /createDestination.action page, the value of this variable
is directly inserted into the HTML code that can be accessed by using
URLs such as /queues.jsp. This allows an attacker to run arbitrary
JavaScript in the context of the affected domain of the ActiveMQ
administration console.

III. ANALYSIS

Successful exploitation of this vulnerability allows an attacker to
conduct an XSS attack on a user. This could allow an attacker to steal
cookies, inject content into pages, or submit requests using the
user's credentials.  To exploit this vulnerability, an attacker must
send malicious request to the vulnerable Active MQ server such as the
following request:
http://www.example.com/createDestination.action?JMSDestination=[XSS_PAYLOAD]
Once this request is sent, anyone accessing the ActiveMQ queues would
have the XSS payload executed in the context of the browser session
being used to browse using a URL such as:
http://www.example.com/queues.jsp

IV. DETECTION

The author and Apache Software Foundation's ActiveMQ group has
confirmed this vulnerability.

V. WORKAROUND

The author is currently unaware of any workaround for this issue but
fix has been released by the vendor.

VI. VENDOR RESPONSE

The Apache Software Foundation ActiveMQ team has addressed this
vulnerability by releasing version 5.3.1 of ActiveMQ.
More information can be found at the following URL.
http://issues.apache.org/activemq/browse/AMQ-2613

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CVE-2010-0684 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org/), which standardizes
names for security problems.

VIII. DISCLOSURE TIMELINE

02/17/2010  Initial vendor notification
02/17/2010  Initial vendor response
02/23/2010  Vendor Fix committed to SVN
03/24/2010  ActiveMQ 5.3.1 publicly released to fix the issue
03/30/2010  Coordinated public disclosure

IX. CREDIT

This vulnerability was reported by Rajat Swarup (http://www.rajatswarup.com).

X. ACKNOWLEDGEMENT

The author wishes to thank Rob Davies and Dejan Bosanac of Apache
ActiveMQ team for fixing the issues on a high priority.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ