activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dejan Bosanac (JIRA)" <j...@apache.org>
Subject [jira] Commented: (AMQ-2700) Apache ActiveMQ is prone to source code disclosure vulnerability.
Date Thu, 22 Apr 2010 10:21:26 GMT

    [ https://issues.apache.org/activemq/browse/AMQ-2700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=59031#action_59031
] 

Dejan Bosanac commented on AMQ-2700:
------------------------------------

Hi Veerendra,

I just retested. The steps are following:

1. Download latest snapshot from https://repository.apache.org/content/repositories/snapshots/org/apache/activemq/apache-activemq/5.4-SNAPSHOT/apache-activemq-5.4-SNAPSHOT-bin.tar.gz

2. install and run

3. Try accessing http://localhost:8161//admin/queues.jsp

I'm getting 404 as expected. Can you try this latest snapshot, just to be sure we're looking
at the same thing and send you log if you're seeing something else?

> Apache ActiveMQ is prone to source code disclosure vulnerability.
> -----------------------------------------------------------------
>
>                 Key: AMQ-2700
>                 URL: https://issues.apache.org/activemq/browse/AMQ-2700
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.3.1
>         Environment: Linux/Windows environment
>            Reporter: Veerendra G.G
>            Assignee: Dejan Bosanac
>            Priority: Critical
>             Fix For: 5.4.0
>
>         Attachments: SECPOD_ActiveMQ.txt
>
>
> An input validation error is present in Apache ActiveMQ. Adding '//' after the
> port in an URL causes it to disclose the JSP page source.
> This has been tested on various admin pages,
> admin/index.jsp, admin/queues.jsp, admin/topics.jsp etc.
> NOTE : Refer attached file for complete information/advisory.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message