|
------=_20100422201310_16572
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
------=_20100422201310_16572
Content-Type: text/plain; name="SECPOD_ActiveMQ.txt"
Content-Disposition: attachment; filename="SECPOD_ActiveMQ.txt"
Content-Transfer-Encoding: quoted-printable
##############################################################################
Apache ActiveMQ Source Code Disclosure Vulnerability
SecPod Technologies (www.secpod.com)
Author Veerendra G.G
###############################################################################
SecPod ID: 1002 04/18/2010 Issue Discovered
04/20/2010 Vendor Notified
04/21/2010 Fix Available
Class: Source code disclosure Severity: Medium
Overview:
---------
Apache ActiveMQ is prone to source code disclosure vulnerability.
Technical Description:
----------------------
An input validation error is present in Apache ActiveMQ. Adding '//' after the
port in an URL causes it to disclose the JSP page source.
This has been tested on various admin pages,
admin/index.jsp, admin/queues.jsp, admin/topics.jsp etc.
Impact:
--------
Successful exploitation allows an attacker to view the source code of a visited
page which can be used for further attacks.
Affected Software:
------------------
ActiveMQ 5.4 and prior
ActiveMQ 5.3.1 and prior
Tested on,
- ActiveMQ 5.4 SNAPSHOT on Fedora 10
- ActiveMQ 5.3.1 on Fedora 10
- ActiveMQ 5.2.0 on Fedora 10
- ActiveMQ 5.4 SNAPSHOT on Windows XP SP2
- ActiveMQ 5.3.1 on Windows XP SP2
- ActiveMQ 5.2.0 on Windows XP SP2
Reference:
---------
http://activemq.apache.org/
Proof of Concept:
-----------------
Use Browser to visit the link by replacing localhost with IP.
1) http://localhost:8161//admin/index.jsp
2) http://localhost:8161//admin/queues.jsp
3) http://localhost:8161//admin/topics.jsp
Work Around:
------------
Work around is available at, https://issues.apache.org/activemq/browse/AMQ-2700
Solution:
----------
Fixed in 5.4-snapshot
Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = NOT_REQUIRED
CONFIDENTIALITY_IMPACT = PARTIAL
INTEGRITY_IMPACT = NONE
AVAILABILITY_IMPACT = NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = WORKAROUND
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N)
Credits:
--------
Veerendra G.G of SecPod Technologies has been credited with the discovery of
this vulnerability.
------=_20100422201310_16572--