You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Arthur Naseef (JIRA)" <ji...@apache.org> on 2017/01/20 20:55:26 UTC

[jira] [Created] (AMQ-6573) CSRF attack complaint on webconsole on purge or delete after navigating

Arthur Naseef created AMQ-6573:
----------------------------------

             Summary: CSRF attack complaint on webconsole on purge or delete after navigating
                 Key: AMQ-6573
                 URL: https://issues.apache.org/jira/browse/AMQ-6573
             Project: ActiveMQ
          Issue Type: Bug
          Components: Broker
    Affects Versions: 5.14.3
            Reporter: Arthur Naseef


CSRF protection causes a failure on attempting to purge or delete messages on the webconsole after navigating; the following steps will reproduce the problem:

1. login to webconsole
2. click "Queues"
3. click on a queue name to browse the queue
4. click the browser back button
5. click "Purge" or "Delete" next to any queue

The result is a CSRF exception failing the attempt.  It turns out that browsing queue causes a new secret key to be generated.  This is easy to see by hovering over the "delete" link on both the main Queues page (queues.jsp) and the queue-browser page (admin/browse.jsp).

Perhaps passing the secret key into the browser page is the best way to avoid this frustration for users?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)