oss-sec mailing list archives
CVE Request: XSS and response-splitting bugs in rabbitmq management plugin
From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Wed, 21 Jan 2015 13:47:28 -0500
Hello, The following issues were fixed in RabbitMQ 3.4.1: (as described in https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs ) 26437 prevent /api/* from returning text/html error messages which could act as an XSS vector (since 2.1.0) 26433 fix response-splitting vulnerability in /api/downloads (since 2.1.0) Bug 26437 allowed an attacker to create a URL to "/api/..." which would provoke an internal server error, resulting in the server returning an html page with text from the URL embedded and not escaped. This was fixed by ensuring all URLs below /api/ only ever return responses with a content type of application/json, even in the case of an internal server error. Bug 26433 allowed an attacker to specify a URL to /api/definitions which would cause an arbitrary additional header to be returned. This was fixed by stripping out CR/LF from the "download" query string parameter. Fixed by: https://github.com/rabbitmq/rabbitmq-management/commit/b5a5fc31bd49ad821a655ea9e2fe920d670a62ad Could CVEs please be assigned to these issue? Thanks, Marc. -- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
Current thread:
- CVE Request: XSS and response-splitting bugs in rabbitmq management plugin Marc Deslauriers (Jan 21)
- Re: CVE Request: XSS and response-splitting bugs in rabbitmq management plugin Marc Deslauriers (Jan 26)
- Re: CVE Request: XSS and response-splitting bugs in rabbitmq management plugin cve-assign (Jan 27)