Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-450

Undertow mod_cluster proxy does not reject suspicious MCMP messages

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 1.3.0.Beta1, 1.2.7.Final
    • 1.2.6.Final, 1.3.0.Beta1
    • Proxy
    • None
    • Hide
      { echo "CONFIG / HTTP/1.1"; echo "Host: 192.168.0.122:8080"; echo "Content-Length: 95"; echo "User-Agent: notprdel"; echo ""; echo -e "JVMRoute=%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E&Host=192.168.0.122&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10\c"; sleep 1;}

      | telnet 192.168.0.122 8080

      Show
      { echo "CONFIG / HTTP/1.1"; echo "Host: 192.168.0.122:8080"; echo "Content-Length: 95"; echo "User-Agent: notprdel"; echo ""; echo -e "JVMRoute=%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E&Host=192.168.0.122&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10\c"; sleep 1;} | telnet 192.168.0.122 8080

      The MCMP processing must reject all weird, malformed and outright malicious MCMP messages. Any negligence here could lead to something like MODCLUSTER-453 a.k.a. CVE-2015-0298 in future.

      For instance, messages containing a valid JavaScript code, shouldn't be accepted:

      17:12:11,797 DEBUG [io.undertow] (default task-1) UT005054: MCMP processing, key: JVMRoute, value: <script>alert('X');</script>
17:12:11,798 DEBUG [io.undertow] (default task-1) UT005054: MCMP processing, key: Host, value: 192.168.0.122
17:12:11,798 DEBUG [io.undertow] (default task-1) UT005054: MCMP processing, key: Maxattempts, value: 1
17:12:11,798 DEBUG [io.undertow] (default task-1) UT005054: MCMP processing, key: Port, value: 800
17:12:11,799 DEBUG [io.undertow] (default task-1) UT005049: NodeConfig created: connectionURI: http://192.168.0.122:800/?#, balancer: mycluster, domain: null, jvmRoute: <script>alert('X');</script>, flushPackets: false, flushwait: 10, ping: 10000,ttl: 0, timeout: 0, maxConnections: 16, cacheConnections: 5, requestQueueSize: 10, queueNewRequests: true
17:12:11,799 DEBUG [io.undertow] (default task-1) UT005038: Balancer created: id: 1, name: mycluster, stickySession: true, stickySessionCookie: JSESSIONID, stickySessionPath: jsessionid, stickySessionRemove: false, stickySessionForce: true, waitWorker: 0, maxattempts: 1
17:12:11,803 INFO  [io.undertow] (default task-1) UT005053: Registering node <script>alert('X');</script>, connection: http://192.168.0.122:800/?#

            sdouglas1@redhat.com Stuart Douglas
            mbabacek1@redhat.com Michal Karm
            Michal Karm Michal Karm
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: