Apache ActiveMQ is prone to source code disclosure vulnerability.

2010-04-26T00:00:00
ID SECURITYVULNS:DOC:23700
Type securityvulns
Reporter Securityvulns
Modified 2010-04-26T00:00:00

Description

Apache ActiveMQ Source Code Disclosure Vulnerability

SecPod Technologies (www.secpod.com) Author Veerendra G.G

SecPod ID: 1002 04/18/2010 Issue Discovered 04/20/2010 Vendor Notified 04/21/2010 Fix Available

Class: Source code disclosure Severity: Medium

Overview:

Apache ActiveMQ is prone to source code disclosure vulnerability.

Technical Description:

An input validation error is present in Apache ActiveMQ. Adding '//' after the port in an URL causes it to disclose the JSP page source.

This has been tested on various admin pages, admin/index.jsp, admin/queues.jsp, admin/topics.jsp etc.

Impact:

Successful exploitation allows an attacker to view the source code of a visited page which can be used for further attacks.

Affected Software:

ActiveMQ 5.4 and prior ActiveMQ 5.3.1 and prior

Tested on, - ActiveMQ 5.4 SNAPSHOT on Fedora 10 - ActiveMQ 5.3.1 on Fedora 10 - ActiveMQ 5.2.0 on Fedora 10 - ActiveMQ 5.4 SNAPSHOT on Windows XP SP2 - ActiveMQ 5.3.1 on Windows XP SP2 - ActiveMQ 5.2.0 on Windows XP SP2

Reference:

http://activemq.apache.org/

Proof of Concept:

Use Browser to visit the link by replacing localhost with IP.

1) http://localhost:8161//admin/index.jsp 2) http://localhost:8161//admin/queues.jsp 3) http://localhost:8161//admin/topics.jsp

Work Around:

Work around is available at, https://issues.apache.org/activemq/browse/AMQ-2700

Solution:

Fixed in 5.4-snapshot

Risk Factor:

CVSS Score Report: 
    ACCESS_VECTOR          = NETWORK 
    ACCESS_COMPLEXITY      = LOW 
    AUTHENTICATION         = NOT_REQUIRED 
    CONFIDENTIALITY_IMPACT = PARTIAL 
    INTEGRITY_IMPACT       = NONE 
    AVAILABILITY_IMPACT    = NONE 
    EXPLOITABILITY         = PROOF_OF_CONCEPT 
    REMEDIATION_LEVEL      = WORKAROUND
    REPORT_CONFIDENCE      = CONFIRMED 
    CVSS Base Score        = 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N)

Credits:

Veerendra G.G of SecPod Technologies has been credited with the discovery of this vulnerability.