Date: Mon, 26 Jan 2015 13:39:24 -0500 From: Marc Deslauriers <marc.deslauriers@...onical.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: XSS and response-splitting bugs in rabbitmq management plugin On 2015-01-21 01:47 PM, Marc Deslauriers wrote: > Hello, > > The following issues were fixed in RabbitMQ 3.4.1: > > (as described in > https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs ) > > 26437 prevent /api/* from returning text/html error messages which could > act as an XSS vector (since 2.1.0) > 26433 fix response-splitting vulnerability in /api/downloads > (since 2.1.0) > > Bug 26437 allowed an attacker to create a URL to "/api/..." which would > provoke an internal server error, resulting in the server returning an > html page with text from the URL embedded and not escaped. This was > fixed by ensuring all URLs below /api/ only ever return responses with a > content type of application/json, even in the case of an internal server > error. > > Bug 26433 allowed an attacker to specify a URL to /api/definitions which > would cause an arbitrary additional header to be returned. This was > fixed by stripping out CR/LF from the "download" query string parameter. > > > Fixed by: > https://github.com/rabbitmq/rabbitmq-management/commit/b5a5fc31bd49ad821a655ea9e2fe920d670a62ad > > Could CVEs please be assigned to these issue? > > Thanks, > > Marc. > ping? Marc.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ