activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pieter (JIRA)" <>
Subject [jira] Commented: (AMQ-1272) Stomp protocol does not correctly check authentication (security hole)
Date Sun, 24 Jun 2007 14:25:34 GMT


Pieter commented on AMQ-1272:

I'm using the PHP Stomp client, that might explain the difference in the behaviour with incorrecht
auth details. I don't have access to the setup right now, I will report the exact behaviour
when I do. I guess it's possible that the Net::Stomp code expects a Stomp ERROR frame, which
isn't sent, or a CONNECTED frame (which isn't sent either). Perhaps it's waiting for these
frames, I don't know the code. I think in my case the socket was disconnected, but I'm not
sure. I will investigate.

> Stomp protocol does not correctly check authentication (security hole)
> ----------------------------------------------------------------------
>                 Key: AMQ-1272
>                 URL:
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.0.0
>         Environment: 4.2-SNAPSHOT
>            Reporter: Tom Samplonius
>            Priority: Blocker
>             Fix For: 4.1.2, 5.0.0
>         Attachments: stomp.diff
> ActiveMQ does not correctly validate the username and password of Stomp clients.  A security
exception is generated, but ignored, leaving the client connected, and with full and unrestricted
access to ActiveMQ.
> Further description, and a partial patch:

> BTW, while the patch in the above post, is crude, however, leaving unauthenticated users
connected with full-access makes ActiveMQ and Stomp pretty unusable.  So please apply the
path, rather than do nothing.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message