Return-Path: 
 <dev-return-27499-apmail-activemq-dev-archive=activemq.apache.org@activemq.apache.org>
X-Original-To: apmail-activemq-dev-archive@www.apache.org
Delivered-To: apmail-activemq-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 874AF6BC5
	for <apmail-activemq-dev-archive@www.apache.org>;
 Fri,  8 Jul 2011 13:20:40 +0000 (UTC)
Received: (qmail 45104 invoked by uid 500); 8 Jul 2011 13:20:40 -0000
Delivered-To: apmail-activemq-dev-archive@activemq.apache.org
Received: (qmail 44995 invoked by uid 500); 8 Jul 2011 13:20:39 -0000
Mailing-List: contact dev-help@activemq.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@activemq.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@activemq.apache.org>
List-Post: <mailto:dev@activemq.apache.org>
List-Id: <dev.activemq.apache.org>
Reply-To: dev@activemq.apache.org
Delivered-To: mailing list dev@activemq.apache.org
Received: (qmail 44986 invoked by uid 99); 8 Jul 2011 13:20:38 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Jul 2011 13:20:38 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED,T_RP_MATCHES_RCVD
X-Spam-Check-By: apache.org
Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Jul 2011 13:20:37 +0000
Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116])
	by hel.zones.apache.org (Postfix) with ESMTP id A089C4DA6B
	for <dev@activemq.apache.org>; Fri,  8 Jul 2011 13:20:16 +0000 (UTC)
Date: Fri, 8 Jul 2011 13:20:16 +0000 (UTC)
From: "Alex Soto (JIRA)" <jira@apache.org>
To: dev@activemq.apache.org
Message-ID: 
 <48336437.11143.1310131216637.JavaMail.tomcat@hel.zones.apache.org>
In-Reply-To: 
 <896125243.59308.1306930307636.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Commented] (AMQ-3345) Possible CSRF attack on 5.5
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/AMQ-3345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13061949#comment-13061949 ] 

Alex Soto commented on AMQ-3345:
--------------------------------

I also experienced this issue.  Using a browser, no SSH involved.  
Actually, it stopped happening while I was typing this, so this is very strange.

> Possible CSRF attack on 5.5
> ---------------------------
>
>                 Key: AMQ-3345
>                 URL: https://issues.apache.org/jira/browse/AMQ-3345
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.5.0
>         Environment: Ubuntu server LTS 10.04.2
> Linux abertis 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux
> Java HotSpot(TM) 64-Bit Server VM (build 11.0-b15, mixed mode)
>            Reporter: Javier Segura
>              Labels: csrf
>
> When trying to purge the contents of any queue, I receive:
> 2011-06-01 11:28:31,103 | WARN  | /admin/queues.jsp | org.eclipse.jetty.util.log | qtp85031456-16
> javax.el.ELException: java.lang.reflect.UndeclaredThrowableException
>         at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
>         at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
>         at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
>         at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
>         at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
>         at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
>         at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
>         at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
>         at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
>         at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
>         at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
>         at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
>         at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
>         at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
>         at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
>         at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
>         at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
>         at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
>         at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
>         at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
>         at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
>         at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
>         at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
>         at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
>         at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
>         at org.eclipse.jetty.server.Server.handle(Server.java:351)
>         at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
>         at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
>         at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
>         at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
>         at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
>         at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
>         at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
>         at java.lang.Thread.run(Thread.java:619)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira