Apache ActiveMQ URL request source code leakage Vulnerability

Affected Versions:
Apache Group ActiveMQ 5.3.1
Vulnerability description:

Apache ActiveMQ is a popular message transmission and integration mode provider.

The input validation error exists in Apache ActiveMQ. The user submits the error to admin/index. jsp, admin/queues. jsp, admin/topics. add "//" to the URL request of jsp and other management pages to read the source code of the JSP page. <* Reference
Http://marc.info /? L = bugtraq & m = 127196074718617 & q = p3
Https://issues.apache.org/activemq/si/jira.issueviews:issue-html/AMQ-2700/AMQ-2700.html
Http://secunia.com/advisories/39567/
*>
Test method:

The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk! Http://www.example.com: 8161 // admin/index. jsp
Http://www.example.com: 8161 // admin/queues. jsp
Http://www.example.com: 8161 // admin/topics. jspSEBUG security recommendations:
Temporary solution:

1. Go to the $ {ACTIVEMQ_HOME}/webapps} directory
2. Create a new directory named static-mkdir static
3. Move the index.html file to the directory-mv index.html static/
4. Change ResourceHandler to use the static directory and edit {$ {ACTIVEMQ_HOME}/conf/jetty. xml to change ResourceHandler definition

<Bean class = "org. mortbay. jetty. handler. ResourceHandler">
<Property name = "welcomeFiles">
<List>
<Value> index.html </value>
</List>
</Property>
<Property name = "resourceBase" value = "$ {activemq. base}/webapps/static"/>
</Bean>

Vendor patch:

Apache Group
------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Https://repository.apache.org/content/repositories/snapshots/org/apache/activemq/apache-activemq/5.4-SNAPSHOT/apache-activemq-5.4-SNAPSHOT-bin.tar.gz