https://bugzilla.redhat.com/show_bug.cgi?id=1185514
Bug ID: 1185514
Summary: RabbitMQ: /api/... XSS vulnerability
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: kseifried(a)redhat.com
CC: abaron(a)redhat.com, aortega(a)redhat.com,
apevec(a)redhat.com, ayoung(a)redhat.com,
chrisw(a)redhat.com, dallan(a)redhat.com,
erlang(a)lists.fedoraproject.org, gkotton(a)redhat.com,
hubert.plociniczak(a)gmail.com, jeckersb(a)redhat.com,
josh(a)fornwall.com, lemenkov(a)gmail.com, lhh(a)redhat.com,
lpeer(a)redhat.com, markmc(a)redhat.com,
pmyers(a)redhat.com, rbryant(a)redhat.com,
rjones(a)redhat.com, s(a)shk.io, sclewis(a)redhat.com,
yeylon(a)redhat.com
26437 prevent /api/* from returning text/html error messages which could act as
an XSS vector (since 2.1.0)
Bug 26437 allowed an attacker to create a URL to "/api/..." which would
provoke an internal server error, resulting in the server returning an
html page with text from the URL embedded and not escaped. This was
fixed by ensuring all URLs below /api/ only ever return responses with a
content type of application/json, even in the case of an internal server
error.
Upstream patches:
http://hg.rabbitmq.com/rabbitmq-web-dispatch/rev/caf3d0a80cf3
References:
https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs
--
You are receiving this mail because:
You are on the CC list for the bug.