activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dejan Bosanac (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMQ-3345) Possible CSRF attack on 5.5
Date Wed, 01 Jun 2011 12:23:47 GMT

    [ https://issues.apache.org/jira/browse/AMQ-3345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13042131#comment-13042131
] 

Dejan Bosanac commented on AMQ-3345:
------------------------------------

How do you call this page. This check is introduced to prevent csrf attacks, so that "purge"
link can only be clicked from the webapp page. It works all fine here.

> Possible CSRF attack on 5.5
> ---------------------------
>
>                 Key: AMQ-3345
>                 URL: https://issues.apache.org/jira/browse/AMQ-3345
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.5.0
>         Environment: Ubuntu server LTS 10.04.2
> Linux abertis 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux
> Java HotSpot(TM) 64-Bit Server VM (build 11.0-b15, mixed mode)
>            Reporter: Javier Segura
>              Labels: csrf
>
> When trying to purge the contents of any queue, I receive:
> 2011-06-01 11:28:31,103 | WARN  | /admin/queues.jsp | org.eclipse.jetty.util.log | qtp85031456-16
> javax.el.ELException: java.lang.reflect.UndeclaredThrowableException
>         at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
>         at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
>         at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
>         at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
>         at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
>         at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
>         at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
>         at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
>         at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
>         at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
>         at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
>         at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
>         at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
>         at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
>         at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
>         at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
>         at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
>         at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
>         at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
>         at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
>         at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
>         at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
>         at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
>         at org.eclipse.jetty.server.Server.handle(Server.java:351)
>         at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
>         at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
>         at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
>         at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
>         at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
>         at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
>         at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
>         at java.lang.Thread.run(Thread.java:619)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message