You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Arthur Naseef (JIRA)" <ji...@apache.org> on 2017/01/20 20:55:26 UTC
[jira] [Created] (AMQ-6573) CSRF attack complaint on webconsole on
purge or delete after navigating
Arthur Naseef created AMQ-6573:
----------------------------------
Summary: CSRF attack complaint on webconsole on purge or delete after navigating
Key: AMQ-6573
URL: https://issues.apache.org/jira/browse/AMQ-6573
Project: ActiveMQ
Issue Type: Bug
Components: Broker
Affects Versions: 5.14.3
Reporter: Arthur Naseef
CSRF protection causes a failure on attempting to purge or delete messages on the webconsole after navigating; the following steps will reproduce the problem:
1. login to webconsole
2. click "Queues"
3. click on a queue name to browse the queue
4. click the browser back button
5. click "Purge" or "Delete" next to any queue
The result is a CSRF exception failing the attempt. It turns out that browsing queue causes a new secret key to be generated. This is easy to see by hovering over the "delete" link on both the main Queues page (queues.jsp) and the queue-browser page (admin/browse.jsp).
Perhaps passing the secret key into the browser page is the best way to avoid this frustration for users?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)