Well, by default the default dlq handler is running as mqm. One thing the user who is
allowed to publish messages can always do is to overflow his queue, deny others access
to the dead letter queue (by flooding it as well) and, subject to his knowledge of the
dlq rules in effect, and the rules themselves, try to achieve forwarding his or her
messages to other queues where s/he does not belong.
Pavel
Rick Tsujimoto
<[EMAIL PROTECTED] To: [EMAIL PROTECTED]
.CANON.COM> cc:
Sent by: MQSeries List Subject: Re: Security with
Server Connection channels
<[EMAIL PROTECTED]>
09/10/2003 10:37 AM
Please respond to MQSeries
List
Pavel,
Could you explain how a user could obtain more privilege vis-a-vis the dlq
handler?
Pavel Tolkachev
<pavel.tolkachev To: [EMAIL PROTECTED]
@DB.COM> cc:
Sent by: Subject: Re: Security with Server
Connection channels
MQSeries List
<[EMAIL PROTECTED]
en.AC.AT>
09/10/2003 09:28
AM
Please respond
to MQSeries List
Well, denial of service attack is always there, of course (I did not try it
myself with MQ and listener pool, to be completely honest). Of course, I
assume your system will use only SSL channels to have a strong
authentication and confidentiality on the wire. Do not forget to set
SSL_PEER to actually authenticate clients. It is slightly inconvenient
though as you can only accept a single distinguished name per a channel
instance -- but this is how it's done in MQ.
Also, be careful with triggering and DLQ (and DLQ handlers) *inside* the
cluster -- of course, the attacker must penetrate the SSL perimeter to try
to take advantage of them. The threat here is that a legal, but restricted,
user may try to get more privileges in trigger/dlq handler than s/he is
supposed to have. That's one reason why I try to never use any of
triggering / dlq handling.
I am sure there are other threats, just because they are always there
(access to system queues?) but I cannot think of anything concrete right
away. Will let you know if (when?) I will run into anything.
Hope this will help,
Pavel
[EMAIL PROTECTED]
.AU To:
[EMAIL PROTECTED]
Sent by: MQSeries cc:
List Subject: Security with
Server Connection channels
<[EMAIL PROTECTED]
n.AC.AT>
09/10/2003 01:33
AM
Please respond to
MQSeries List
Howdy all,
I need some thoughts on possible security vulnabilities.
If I have an MQ server being used as a gateway into a cluster, (it holds no
queues) and no command server is running and a pool of listners are running
for clients to connect with using a server connection channel, can anyone
do anything malicious to my cluster.
The platform would be Linux (red hat) and MQ v5.3 is installed, no other
inetd services are installed.
____________________________________________
Sid Young B I.T. (cs dc) AD (cse)
DBA
Intranet Developer
Analyst / Programmer
Information Systems Department
[EMAIL PROTECTED]
QML Pathology Phone: (07) 3840 4941 Fax: Fax??? This is the 21st Century!
www.qml.com.au
60 Ferry Rd
West End, QLD 4101
--
This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
--
This e-mail may contain confidential and/or privileged information. If you are not the
intended recipient (or have received this e-mail in error) please notify the sender
immediately and destroy this e-mail. Any unauthorized copying, disclosure or
distribution of the material in this e-mail is strictly forbidden.
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
