activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tom Samplonius (JIRA)" <>
Subject [jira] Commented: (AMQ-1272) Stomp protocol does not correctly check authentication (security hole)
Date Mon, 16 Jul 2007 02:59:44 GMT


Tom Samplonius commented on AMQ-1272:

Well, the Perl Net::Stomp client definitely notices if the socket goes away, because if I
kill ActiveMQ, my client reports an immediate error:

Error reading command:  at /usr/local/lib/perl5/site_perl/5.8.8/Net/Stomp/ line 37,
<GEN0> line 25076.

This is expected though.  When the receive_frame() method is called, Net::Stomp does a blocking
read on a socket.  If that socket is closed, the read will return with an error code.  And
then the Net::Stomp kicks out an "Error reading command" exception.

I have also retested this with a 5.0 snapshot from July 12, with the stomp.diff patch that
I posed above.  The behavior is the same.  A Stomp client will just block during login.  I
can see in netstat that there is a one 61613 socket open as well, so it is not definitely
not being closed by ActiveMQ.

> Stomp protocol does not correctly check authentication (security hole)
> ----------------------------------------------------------------------
>                 Key: AMQ-1272
>                 URL:
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 5.0.0
>         Environment: 4.2-SNAPSHOT
>            Reporter: Tom Samplonius
>            Priority: Blocker
>             Fix For: 4.1.2, 5.0.0
>         Attachments: stomp.diff
> ActiveMQ does not correctly validate the username and password of Stomp clients.  A security
exception is generated, but ignored, leaving the client connected, and with full and unrestricted
access to ActiveMQ.
> Further description, and a partial patch:

> BTW, while the patch in the above post, is crude, however, leaving unauthenticated users
connected with full-access makes ActiveMQ and Stomp pretty unusable.  So please apply the
path, rather than do nothing.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message