[rabbitmq-discuss] Possible RabbitMQ 3.0.4 Management Plug-in (Mochiweb) Directory Traversal Vulnerability?

Emile Joubert emile at rabbitmq.com
Thu Jul 11 09:58:40 BST 2013


Hi Zachary,

On 10/07/13 11:22, Emile Joubert wrote:
> On 10/07/13 01:05, Zach Austin wrote:
>> A commercial off-the-shelf vulnerability scanner is detecting a
>> directory traversal vulnerability in the RabbitMQ management plugin HTTP
>> server (Mochiweb) installed in the default configuration on Windows
>> Server 2003. Exploitation of the vulnerability reportedly does not
>> require authentication. 
>>
>> I can provide details upon request.  Please let me know if this is a
>> known issue 
> 
> 
> If you provide details then we'll be able to determine whether this is a
> known issue. Please reply to me directly if you feel the need to
> practice responsible disclosure.


Thanks for taking the time to report this issue. This is a known issue
in the sense that it has been reported and fixed in the Mochiweb project:

 https://github.com/mochi/mochiweb/issues/92

Unfortunately the version of Mochiweb included in RabbitMQ does not yet
include the upstream fix, but we do plan to update this and include the
fix. The RabbitMQ release notes will contain a description to that effect.

In the meantime here some possible workarounds:
If you access the management interface via a proxy then you can include
a rule to disallow access to URLs that contain backslashes.
The issue appears to be Windows-specific, so you could enable the
management interface only on non-Windows nodes.



-Emile





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130711/46a999b6/attachment.pgp>


More information about the rabbitmq-discuss mailing list