Apache ActiveMQ is prone to source code disclosure vulnerability. Apr 22 2010 02:43PM
research secpod com
########################################################################
######
Apache ActiveMQ Source Code Disclosure Vulnerability

SecPod Technologies (www.secpod.com)
Author Veerendra G.G
########################################################################
#######

SecPod ID: 1002 04/18/2010 Issue Discovered
04/20/2010 Vendor Notified
04/21/2010 Fix Available

Class: Source code disclosure Severity: Medium

Overview:
---------
Apache ActiveMQ is prone to source code disclosure vulnerability.

Technical Description:
----------------------
An input validation error is present in Apache ActiveMQ. Adding '//' after the
port in an URL causes it to disclose the JSP page source.

This has been tested on various admin pages,
admin/index.jsp, admin/queues.jsp, admin/topics.jsp etc.

Impact:
--------
Successful exploitation allows an attacker to view the source code of a visited
page which can be used for further attacks.

Affected Software:
------------------
ActiveMQ 5.4 and prior
ActiveMQ 5.3.1 and prior

Tested on,
- ActiveMQ 5.4 SNAPSHOT on Fedora 10
- ActiveMQ 5.3.1 on Fedora 10
- ActiveMQ 5.2.0 on Fedora 10
- ActiveMQ 5.4 SNAPSHOT on Windows XP SP2
- ActiveMQ 5.3.1 on Windows XP SP2
- ActiveMQ 5.2.0 on Windows XP SP2

Reference:
---------
http://activemq.apache.org/

Proof of Concept:
-----------------
Use Browser to visit the link by replacing localhost with IP.

1) http://localhost:8161//admin/index.jsp
2) http://localhost:8161//admin/queues.jsp
3) http://localhost:8161//admin/topics.jsp

Work Around:
------------
Work around is available at, https://issues.apache.org/activemq/browse/AMQ-2700

Solution:
----------
Fixed in 5.4-snapshot

Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = NOT_REQUIRED
CONFIDENTIALITY_IMPACT = PARTIAL
INTEGRITY_IMPACT = NONE
AVAILABILITY_IMPACT = NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = WORKAROUND
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N)

Credits:
--------
Veerendra G.G of SecPod Technologies has been credited with the discovery of
this vulnerability.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus