rabbitmq -- Security issues in management plugin

2015-01-08T00:00:00
ID 8469D41C-A960-11E4-B18E-BCAEC55BE5E5
Type freebsd
Reporter FreeBSD
Modified 2015-01-08T00:00:00

Description

The RabbitMQ project reports:

Some user-controllable content was not properly HTML-escaped before being presented to a user in the management web UI:

When a user unqueued a message from the management UI, message details (header names, arguments, etc.) were displayed unescaped. An attacker could publish a specially crafted message to add content or execute arbitrary Javascript code on behalf of a user, if this user unqueued the message from the management UI. When viewing policies, their name was displayed unescaped. An attacker could create a policy with a specially crafted name to add content or execute arbitrary Javascript code on behalf of a user who is viewing policies. When listing connected AMQP network clients, client details such as its version were displayed unescaped. An attacker could use a client with a specially crafted version field to add content or execute arbitrary Javascript code on behalf of a user who is viewing connected clients.

In all cases, the attacker needs a valid user account on the targeted RabbitMQ cluster. Furthermore, some admin-controllable content was not properly escaped:

user names; the cluster name.

Likewise, an attacker could add content or execute arbitrary Javascript code on behalf of a user using the management web UI. However, the attacker must be an administrator on the RabbitMQ cluster, thus a trusted user.