activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dejan Bosanac (JIRA)" <j...@apache.org>
Subject [jira] Updated: (AMQ-2788) Directory Traversal Vulnerability
Date Tue, 22 Jun 2010 07:36:54 GMT

     [ https://issues.apache.org/activemq/browse/AMQ-2788?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Dejan Bosanac updated AMQ-2788:
-------------------------------

    Description: 
Due to vulnerability in Jetty's ResourceHandler (http://jira.codehaus.org/browse/JETTY-1004),
ActiveMQ installations on Windows are prone to this vulnerability. For example you can see
the README file by entering the following url: http://localhost:8161/\../\../README.txt

This is solved by moving to 7.x Jetty version on trunk and upcoming 5.4.0 release.

People affected with this issue should either upgrade manually to Jetty 6.1.17 or remove resource
handler declaration by commenting out or deleting the following snippet from jetty.xml:

                   <bean class="org.mortbay.jetty.handler.ContextHandler">
                       <property name="contextPath" value="/"/>
                       <property name="handler">
                           <bean class="org.mortbay.jetty.handler.ResourceHandler">
                               <property name="welcomeFiles">
                                   <list>
                                       <value>index.html</value>
                                   </list>
                               </property>
                               <property name="resourceBase" value="${activemq.base}/webapps/static/"/>
                           </bean> 
                       </property>
                   </bean>

  was:
Due to vulnerability in Jetty's ResourceHandler (http://jira.codehaus.org/browse/JETTY-1004),
ActiveMQ installations on Windows are prone to this vulnerability.

This is solved by moving to 7.x Jetty version on trunk and upcoming 5.4.0 release.

People affected with this issue should either upgrade manually to Jetty 6.1.17 or remove resource
handler declaration by commenting out or deleting the following snippet from jetty.xml:

                   <bean class="org.mortbay.jetty.handler.ContextHandler">
                       <property name="contextPath" value="/"/>
                       <property name="handler">
                           <bean class="org.mortbay.jetty.handler.ResourceHandler">
                               <property name="welcomeFiles">
                                   <list>
                                       <value>index.html</value>
                                   </list>
                               </property>
                               <property name="resourceBase" value="${activemq.base}/webapps/static/"/>
                           </bean> 
                       </property>
                   </bean>


> Directory Traversal Vulnerability
> ---------------------------------
>
>                 Key: AMQ-2788
>                 URL: https://issues.apache.org/activemq/browse/AMQ-2788
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.3.1, 5.3.2
>         Environment: Windows
>            Reporter: Dejan Bosanac
>            Assignee: Dejan Bosanac
>             Fix For: 5.4.0
>
>
> Due to vulnerability in Jetty's ResourceHandler (http://jira.codehaus.org/browse/JETTY-1004),
ActiveMQ installations on Windows are prone to this vulnerability. For example you can see
the README file by entering the following url: http://localhost:8161/\../\../README.txt
> This is solved by moving to 7.x Jetty version on trunk and upcoming 5.4.0 release.
> People affected with this issue should either upgrade manually to Jetty 6.1.17 or remove
resource handler declaration by commenting out or deleting the following snippet from jetty.xml:
>                    <bean class="org.mortbay.jetty.handler.ContextHandler">
>                        <property name="contextPath" value="/"/>
>                        <property name="handler">
>                            <bean class="org.mortbay.jetty.handler.ResourceHandler">
>                                <property name="welcomeFiles">
>                                    <list>
>                                        <value>index.html</value>
>                                    </list>
>                                </property>
>                                <property name="resourceBase" value="${activemq.base}/webapps/static/"/>
>                            </bean> 
>                        </property>
>                    </bean>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message