CVE-2010-0684: Apache ActiveMQ Persistent Cross-Site Scripting (XSS) Vulnerability ============================================================== Security Advisory 03.30.2010 I. BACKGROUND Apache ActiveMQ is the most popular and powerful open source messaging and Integration Patterns provider. http://activemq.apache.org/ II. DESCRIPTION Remote unauthenticated exploitation of an input validation vulnerability in Apache Software Foundation's ActiveMQ server could allow an attacker to perform a stored or persistent cross-site scripting (XSS) attack. The code responsible for parsing HTTP requests is vulnerable to an XSS vulnerability. When parsing the JMSDestination parameter from a GET request to /createDestination.action page, the value of this variable is directly inserted into the HTML code that can be accessed by using URLs such as /queues.jsp. This allows an attacker to run arbitrary JavaScript in the context of the affected domain of the ActiveMQ administration console. III. ANALYSIS Successful exploitation of this vulnerability allows an attacker to conduct an XSS attack on a user. This could allow an attacker to steal cookies, inject content into pages, or submit requests using the user's credentials. To exploit this vulnerability, an attacker must send malicious request to the vulnerable Active MQ server such as the following request: http://www.example.com/createDestination.action?JMSDestination=[XSS_PAYLOAD] Once this request is sent, anyone accessing the ActiveMQ queues would have the XSS payload executed in the context of the browser session being used to browse using a URL such as: http://www.example.com/queues.jsp IV. DETECTION The author and Apache Software Foundation's ActiveMQ group has confirmed this vulnerability. V. WORKAROUND The author is currently unaware of any workaround for this issue but fix has been released by the vendor. VI. VENDOR RESPONSE The Apache Software Foundation ActiveMQ team has addressed this vulnerability by releasing version 5.3.1 of ActiveMQ. More information can be found at the following URL. http://issues.apache.org/activemq/browse/AMQ-2613 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-0684 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/17/2010 Initial vendor notification 02/17/2010 Initial vendor response 02/23/2010 Vendor Fix committed to SVN 03/24/2010 ActiveMQ 5.3.1 publicly released to fix the issue 03/30/2010 Coordinated public disclosure IX. CREDIT This vulnerability was reported by Rajat Swarup (http://www.rajatswarup.com). X. ACKNOWLEDGEMENT The author wishes to thank Rob Davies and Dejan Bosanac of Apache ActiveMQ team for fixing the issues on a high priority.