[jira] [Closed] (QPID-8675) [Broker-J] XSS vulnerability in path

Fri, 28 Feb 2025 00:59:22 -0800 


     [ 
https://issues.apache.org/jira/browse/QPID-8675?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tomas Vavricka closed QPID-8675.
--------------------------------

> [Broker-J] XSS vulnerability in path
> ------------------------------------
>
>                 Key: QPID-8675
>                 URL: https://issues.apache.org/jira/browse/QPID-8675
>             Project: Qpid
>          Issue Type: Bug
>          Components: Broker-J
>    Affects Versions: qpid-java-broker-8.0.6, qpid-java-broker-9.0.0, 
> qpid-java-broker-9.1.0, qpid-java-broker-9.2.0
>            Reporter: Tomas Vavricka
>            Priority: Major
>             Fix For: qpid-java-broker-9.2.1
>
>
> Indraneel Dey reported on [mailing 
> list|https://lists.apache.org/thread/mgok3h4cpplod35wv83v9348gfxsd760]:
> {quote}Hello,
> Our application uses QPID Broker-J and one of our users recently made us
> aware of an XSS vulnerability. The application seems to be vulnerable to a
> "reflected XSS attack" for the Management channel.
> Sending a request in the form of
> "
> Unknown macro: \{management-endpoint}
> /some-script-containing-alert" results in a response
> of the form of "Unknown path 'some-script-containing-alert'. Please read
> the api docs at ...". The part of the URL, "some-script-containing-alert",
> can contain any malicious script which is reflected in the response as is,
> and can be exploited for an XSS attack.
> I looked at QPID-6022 but the fix therein seems to have been insufficient.
> It seems that similar fixes are also required in following files for both
> "Unknown File" and "Unknown Path":
> *
> broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/RootServlet.java
> *
> broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/DefinedFileServlet.java
> Thank you for your attention to this matter
> regards,
> Indraneel Dey
> {quote}
> *Implementation*
> The class DefinedFileServlet doesn't seem to be used in broker code and could 
> be deleted.
> In class RootServlet the error message should escape text replacing the 
> characters >, <, &, " and ' to appropriate escaped entities.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to