activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Javier Segura (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMQ-3345) Possible CSRF attack on 5.5
Date Wed, 01 Jun 2011 13:17:47 GMT

    [ https://issues.apache.org/jira/browse/AMQ-3345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13042157#comment-13042157
] 

Javier Segura commented on AMQ-3345:
------------------------------------

We are using sun jre. Maybe is related to the SSH tunnel? This began to happen yesterday after
the update from 5.4.1, all the other elements in the scenario (java vm, ssh forwarded port,
machines, queues..) are the same.

> Possible CSRF attack on 5.5
> ---------------------------
>
>                 Key: AMQ-3345
>                 URL: https://issues.apache.org/jira/browse/AMQ-3345
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.5.0
>         Environment: Ubuntu server LTS 10.04.2
> Linux abertis 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux
> Java HotSpot(TM) 64-Bit Server VM (build 11.0-b15, mixed mode)
>            Reporter: Javier Segura
>              Labels: csrf
>
> When trying to purge the contents of any queue, I receive:
> 2011-06-01 11:28:31,103 | WARN  | /admin/queues.jsp | org.eclipse.jetty.util.log | qtp85031456-16
> javax.el.ELException: java.lang.reflect.UndeclaredThrowableException
>         at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
>         at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
>         at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
>         at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
>         at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
>         at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
>         at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
>         at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
>         at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
>         at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
>         at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
>         at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
>         at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
>         at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
>         at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
>         at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
>         at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
>         at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
>         at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
>         at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
>         at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
>         at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
>         at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
>         at org.eclipse.jetty.server.Server.handle(Server.java:351)
>         at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
>         at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
>         at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
>         at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
>         at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
>         at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
>         at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
>         at java.lang.Thread.run(Thread.java:619)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message