Hello,
Our application uses QPID Broker-J and one of our users recently made us
aware of an XSS vulnerability. The application seems to be vulnerable to a
"reflected XSS attack" for the Management channel.
Sending a request in the form of
"{management-endpoint}/some-script-containing-alert" results in a response
of the form of "Unknown path 'some-script-containing-alert'. Please read
the api docs at ...". The part of the URL, "some-script-containing-alert",
can contain any malicious script which is reflected in the response as is,
and can be exploited for an XSS attack.
I looked at QPID-6022 but the fix therein seems to have been insufficient.
It seems that similar fixes are also required in following files for both
"Unknown File" and "Unknown Path":
*
broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/RootServlet.java
*
broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/DefinedFileServlet.java
Thank you for your attention to this matter
regards,
Indraneel Dey
