activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rajat Swarup (JIRA)" <>
Subject [jira] Created: (AMQ-2625) Persistent Cross-site Scripting in /createDesitnation.action [JMSDestination parameter]
Date Wed, 24 Feb 2010 03:52:40 GMT
Persistent Cross-site Scripting in /createDesitnation.action [JMSDestination parameter]

                 Key: AMQ-2625
             Project: ActiveMQ
          Issue Type: Bug
    Affects Versions: 5.3.0
         Environment: Linux environment.
            Reporter: Rajat Swarup
            Assignee: Dejan Bosanac
            Priority: Critical
             Fix For: 5.3.1, 5.4.0

GET /createDestination.action?JMSDestinationType=queue&JMSDestination=%22%3E%3Cscript%3Ealert%28%22persistent%20XSS%22%29%3C%2fscript%3E
This GET request creates a queue name that has malformed queue name due to lack of input validation.
 After sending this request a sample of the effect can be seen by browsing to /queues.jsp
and clicking on the "Home" link.  
I do not know the affected version information yet.  Is there some way I can find it?    
Additionally, this is vulnerable to cross-site request forgery as well but XSS is a more critical
bug than XSRF (at least at this point for me I guess).

CVE Identifier issued for this:

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message