You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Javier Segura (JIRA)" <ji...@apache.org> on 2011/06/01 14:11:47 UTC
[jira] [Created] (AMQ-3345) Possible CSRF attack on 5.5
Possible CSRF attack on 5.5
---------------------------
Key: AMQ-3345
URL: https://issues.apache.org/jira/browse/AMQ-3345
Project: ActiveMQ
Issue Type: Bug
Affects Versions: 5.5.0
Environment: Ubuntu server LTS 10.04.2
Linux abertis 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux
Java HotSpot(TM) 64-Bit Server VM (build 11.0-b15, mixed mode)
Reporter: Javier Segura
When trying to purge the contents of any queue, I receive:
2011-06-01 11:28:31,103 | WARN | /admin/queues.jsp | org.eclipse.jetty.util.log | qtp85031456-16
javax.el.ELException: java.lang.reflect.UndeclaredThrowableException
at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
at org.eclipse.jetty.server.Server.handle(Server.java:351)
at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
at java.lang.Thread.run(Thread.java:619)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3345) Possible CSRF attack on 5.5
Posted by "Alex Soto (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13061949#comment-13061949 ]
Alex Soto commented on AMQ-3345:
--------------------------------
I also experienced this issue. Using a browser, no SSH involved.
Actually, it stopped happening while I was typing this, so this is very strange.
> Possible CSRF attack on 5.5
> ---------------------------
>
> Key: AMQ-3345
> URL: https://issues.apache.org/jira/browse/AMQ-3345
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.5.0
> Environment: Ubuntu server LTS 10.04.2
> Linux abertis 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux
> Java HotSpot(TM) 64-Bit Server VM (build 11.0-b15, mixed mode)
> Reporter: Javier Segura
> Labels: csrf
>
> When trying to purge the contents of any queue, I receive:
> 2011-06-01 11:28:31,103 | WARN | /admin/queues.jsp | org.eclipse.jetty.util.log | qtp85031456-16
> javax.el.ELException: java.lang.reflect.UndeclaredThrowableException
> at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
> at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
> at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
> at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
> at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
> at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
> at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
> at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
> at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
> at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
> at org.eclipse.jetty.server.Server.handle(Server.java:351)
> at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
> at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
> at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
> at java.lang.Thread.run(Thread.java:619)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (AMQ-3345) Possible CSRF attack on 5.5
Posted by "Timothy Bish (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3345?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Timothy Bish closed AMQ-3345.
-----------------------------
Resolution: Cannot Reproduce
> Possible CSRF attack on 5.5
> ---------------------------
>
> Key: AMQ-3345
> URL: https://issues.apache.org/jira/browse/AMQ-3345
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.5.0
> Environment: Ubuntu server LTS 10.04.2
> Linux abertis 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux
> Java HotSpot(TM) 64-Bit Server VM (build 11.0-b15, mixed mode)
> Reporter: Javier Segura
> Labels: csrf
>
> When trying to purge the contents of any queue, I receive:
> 2011-06-01 11:28:31,103 | WARN | /admin/queues.jsp | org.eclipse.jetty.util.log | qtp85031456-16
> javax.el.ELException: java.lang.reflect.UndeclaredThrowableException
> at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
> at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
> at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
> at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
> at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
> at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
> at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
> at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
> at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
> at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
> at org.eclipse.jetty.server.Server.handle(Server.java:351)
> at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
> at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
> at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
> at java.lang.Thread.run(Thread.java:619)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3345) Possible CSRF attack on 5.5
Posted by "Dejan Bosanac (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13042693#comment-13042693 ]
Dejan Bosanac commented on AMQ-3345:
------------------------------------
That check is implemented for 5.4.0 and there weren't any other changes later on. So it should be the same on 5.4.1 and 5.5.0
> Possible CSRF attack on 5.5
> ---------------------------
>
> Key: AMQ-3345
> URL: https://issues.apache.org/jira/browse/AMQ-3345
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.5.0
> Environment: Ubuntu server LTS 10.04.2
> Linux abertis 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux
> Java HotSpot(TM) 64-Bit Server VM (build 11.0-b15, mixed mode)
> Reporter: Javier Segura
> Labels: csrf
>
> When trying to purge the contents of any queue, I receive:
> 2011-06-01 11:28:31,103 | WARN | /admin/queues.jsp | org.eclipse.jetty.util.log | qtp85031456-16
> javax.el.ELException: java.lang.reflect.UndeclaredThrowableException
> at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
> at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
> at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
> at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
> at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
> at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
> at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
> at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
> at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
> at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
> at org.eclipse.jetty.server.Server.handle(Server.java:351)
> at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
> at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
> at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
> at java.lang.Thread.run(Thread.java:619)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3345) Possible CSRF attack on 5.5
Posted by "Dejan Bosanac (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13042131#comment-13042131 ]
Dejan Bosanac commented on AMQ-3345:
------------------------------------
How do you call this page. This check is introduced to prevent csrf attacks, so that "purge" link can only be clicked from the webapp page. It works all fine here.
> Possible CSRF attack on 5.5
> ---------------------------
>
> Key: AMQ-3345
> URL: https://issues.apache.org/jira/browse/AMQ-3345
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.5.0
> Environment: Ubuntu server LTS 10.04.2
> Linux abertis 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux
> Java HotSpot(TM) 64-Bit Server VM (build 11.0-b15, mixed mode)
> Reporter: Javier Segura
> Labels: csrf
>
> When trying to purge the contents of any queue, I receive:
> 2011-06-01 11:28:31,103 | WARN | /admin/queues.jsp | org.eclipse.jetty.util.log | qtp85031456-16
> javax.el.ELException: java.lang.reflect.UndeclaredThrowableException
> at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
> at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
> at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
> at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
> at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
> at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
> at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
> at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
> at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
> at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
> at org.eclipse.jetty.server.Server.handle(Server.java:351)
> at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
> at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
> at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
> at java.lang.Thread.run(Thread.java:619)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3345) Possible CSRF attack on 5.5
Posted by "Dejan Bosanac (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13042154#comment-13042154 ]
Dejan Bosanac commented on AMQ-3345:
------------------------------------
On a second look, the exception looks strange. We throw UnsupportedOperationException. Wonder if it is related to JVM being used. Did you try with Sun jre?
> Possible CSRF attack on 5.5
> ---------------------------
>
> Key: AMQ-3345
> URL: https://issues.apache.org/jira/browse/AMQ-3345
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.5.0
> Environment: Ubuntu server LTS 10.04.2
> Linux abertis 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux
> Java HotSpot(TM) 64-Bit Server VM (build 11.0-b15, mixed mode)
> Reporter: Javier Segura
> Labels: csrf
>
> When trying to purge the contents of any queue, I receive:
> 2011-06-01 11:28:31,103 | WARN | /admin/queues.jsp | org.eclipse.jetty.util.log | qtp85031456-16
> javax.el.ELException: java.lang.reflect.UndeclaredThrowableException
> at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
> at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
> at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
> at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
> at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
> at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
> at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
> at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
> at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
> at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
> at org.eclipse.jetty.server.Server.handle(Server.java:351)
> at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
> at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
> at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
> at java.lang.Thread.run(Thread.java:619)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3345) Possible CSRF attack on 5.5
Posted by "Javier Segura (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13042157#comment-13042157 ]
Javier Segura commented on AMQ-3345:
------------------------------------
We are using sun jre. Maybe is related to the SSH tunnel? This began to happen yesterday after the update from 5.4.1, all the other elements in the scenario (java vm, ssh forwarded port, machines, queues..) are the same.
> Possible CSRF attack on 5.5
> ---------------------------
>
> Key: AMQ-3345
> URL: https://issues.apache.org/jira/browse/AMQ-3345
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.5.0
> Environment: Ubuntu server LTS 10.04.2
> Linux abertis 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux
> Java HotSpot(TM) 64-Bit Server VM (build 11.0-b15, mixed mode)
> Reporter: Javier Segura
> Labels: csrf
>
> When trying to purge the contents of any queue, I receive:
> 2011-06-01 11:28:31,103 | WARN | /admin/queues.jsp | org.eclipse.jetty.util.log | qtp85031456-16
> javax.el.ELException: java.lang.reflect.UndeclaredThrowableException
> at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
> at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
> at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
> at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
> at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
> at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
> at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
> at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
> at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
> at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
> at org.eclipse.jetty.server.Server.handle(Server.java:351)
> at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
> at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
> at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
> at java.lang.Thread.run(Thread.java:619)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3345) Possible CSRF attack on 5.5
Posted by "Javier Segura (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13042142#comment-13042142 ]
Javier Segura commented on AMQ-3345:
------------------------------------
I call the purge link from the browser through a ssh tunnel on the machine where the activemq is.
> Possible CSRF attack on 5.5
> ---------------------------
>
> Key: AMQ-3345
> URL: https://issues.apache.org/jira/browse/AMQ-3345
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.5.0
> Environment: Ubuntu server LTS 10.04.2
> Linux abertis 2.6.32-32-server #62-Ubuntu SMP Wed Apr 20 22:07:43 UTC 2011 x86_64 GNU/Linux
> Java HotSpot(TM) 64-Bit Server VM (build 11.0-b15, mixed mode)
> Reporter: Javier Segura
> Labels: csrf
>
> When trying to purge the contents of any queue, I receive:
> 2011-06-01 11:28:31,103 | WARN | /admin/queues.jsp | org.eclipse.jetty.util.log | qtp85031456-16
> javax.el.ELException: java.lang.reflect.UndeclaredThrowableException
> at org.apache.activemq.web.handler.BindingBeanNameUrlHandlerMapping.getHandlerInternal(BindingBeanNameUrlHandlerMapping.java:58)
> at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:184)
> at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:945)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:753)
> at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
> at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
> at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:527)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1216)
> at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:81)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
> at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1187)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:421)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:493)
> at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:930)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:358)
> at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:866)
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
> at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113)
> at org.eclipse.jetty.server.Server.handle(Server.java:351)
> at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:594)
> at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1042)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:549)
> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:211)
> at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:424)
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:506)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436)
> at java.lang.Thread.run(Thread.java:619)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira