[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Apache ActiveMQ is prone to source code disclosure vulnerability.



##############################################################################
Apache ActiveMQ Source Code Disclosure Vulnerability

SecPod Technologies (www.secpod.com)
Author Veerendra G.G
###############################################################################

SecPod ID:	1002			04/18/2010 Issue Discovered
					04/20/2010 Vendor Notified
					04/21/2010 Fix Available

Class: Source code disclosure 		Severity: Medium


Overview:
---------
Apache ActiveMQ is prone to source code disclosure vulnerability.

Technical Description:
----------------------
An input validation error is present in Apache ActiveMQ. Adding '//' after the
port in an URL causes it to disclose the JSP page source.

This has been tested on various admin pages,
admin/index.jsp, admin/queues.jsp, admin/topics.jsp etc.

Impact:
--------
Successful exploitation allows an attacker to view the source code of a visited
page which can be used for further attacks.

Affected Software:
------------------
ActiveMQ 5.4 and prior
ActiveMQ 5.3.1 and prior

Tested on,
- ActiveMQ 5.4 SNAPSHOT on Fedora 10
- ActiveMQ 5.3.1 on Fedora 10
- ActiveMQ 5.2.0 on Fedora 10
- ActiveMQ 5.4 SNAPSHOT on Windows XP SP2
- ActiveMQ 5.3.1 on Windows XP SP2
- ActiveMQ 5.2.0 on Windows XP SP2

Reference:
---------
http://activemq.apache.org/

Proof of Concept:
-----------------
Use Browser to visit the link by replacing localhost with IP. 

1) http://localhost:8161//admin/index.jsp
2) http://localhost:8161//admin/queues.jsp
3) http://localhost:8161//admin/topics.jsp

Work Around:
------------
Work around is available at, https://issues.apache.org/activemq/browse/AMQ-2700

Solution:
----------
Fixed in 5.4-snapshot

Risk Factor:
-------------
    CVSS Score Report: 
        ACCESS_VECTOR          = NETWORK 
        ACCESS_COMPLEXITY      = LOW 
        AUTHENTICATION         = NOT_REQUIRED 
        CONFIDENTIALITY_IMPACT = PARTIAL 
        INTEGRITY_IMPACT       = NONE 
        AVAILABILITY_IMPACT    = NONE 
        EXPLOITABILITY         = PROOF_OF_CONCEPT 
        REMEDIATION_LEVEL      = WORKAROUND
        REPORT_CONFIDENCE      = CONFIRMED 
        CVSS Base Score        = 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N)

Credits:
--------
Veerendra G.G of SecPod Technologies has been credited with the discovery of
this vulnerability.