Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <54BFF440.7070001@canonical.com>
Date: Wed, 21 Jan 2015 13:47:28 -0500
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: XSS and response-splitting bugs in rabbitmq management
 plugin

Hello,

The following issues were fixed in RabbitMQ 3.4.1:

(as described in
https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs )

26437 prevent /api/* from returning text/html error messages which could
       act as an XSS vector (since 2.1.0)
26433 fix response-splitting vulnerability in /api/downloads
       (since 2.1.0)

Bug 26437 allowed an attacker to create a URL to "/api/..." which would
provoke an internal server error, resulting in the server returning an
html page with text from the URL embedded and not escaped. This was
fixed by ensuring all URLs below /api/ only ever return responses with a
content type of application/json, even in the case of an internal server
error.

Bug 26433 allowed an attacker to specify a URL to /api/definitions which
would cause an arbitrary additional header to be returned. This was
fixed by stripping out CR/LF from the "download" query string parameter.


Fixed by:
https://github.com/rabbitmq/rabbitmq-management/commit/b5a5fc31bd49ad821a655ea9e2fe920d670a62ad

Could CVEs please be assigned to these issue?

Thanks,

Marc.

-- 
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.