MQSeries.net :: View topic

pintrader · Posted: Mon May 19, 2014 1:33 am Post subject: MQTT security

hi
i am struggle with security team about telemetry client running the webclient demos. my MQ is running telemetry service. however I also installed the Telemetry client during installation. So now when the security runs the network scanner, the report says :

The request string used to detect this flaw was :

/<script>cross_site_scripting.contact admin</script>.asp

The output was :

HTTP/1.1 400 AMQHT0400E: Bad Request.
Content-length: 1147
Content-type: text/plain; charset=iso-8859-1

java.net.URISyntaxException: Illegal character in path at index 42: http
://someserver.some.domain:1883/<script>cross_site_scripting.contact admin<
/script>.asp
java.net.URISyntaxException: Illegal character in path at index 42 [...]
at java.net.URI$Parser.fail(URI.java:2821)

port 1883 is the default telemetry channel port. Even if I uninstalled the Telemetry client and restarted the MQXR service, it still flagged this vulnerability

How can I mitigate this risk of XSS ?
thanks