james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Danny Angus" <da...@thought.co.uk>
Subject RE: javax.mail.Session access protection (part IV),
Date Mon, 11 Mar 2002 23:12:46 GMT
Hi,
I will explain once more why I think you are mistaken, perhaps you would
like to correct any misunderstanding I may have made, rather just than
re-iterating your initial assertion, which is getting us nowhere.

1/ your class is sending an email to James, using SMTP on localhost. James
is *supposed* to receive it, James is an SMTP mailserver.
2/ your class will not be running in the same jvm as james unless it is run
in the same instance of avalon.
3/ you have not demonstrated how any sensitive information is gained from
the default mail session.

d.

> -----Original Message-----
> From: Michael Kaegi [mailto:kam@brainware.ch]
> Sent: Monday, March 11, 2002 4:09 PM
> To: james-dev@jakarta.apache.org
> Subject: RE: javax.mail.Session access protection (part IV),
>
>
> ... from scratch.
>
>
> Test case:
>
> It's the JAMES default javax.mail.Session secure? I think no!
>
>
> Test environment:
>
> OS: MS Windows 2000
> JDK: 1.3
> JAMES: James 2.0a2
>
>
> Test description:
>
> - Install and configure JAMES (only DNS must be set).
> - Run JAMES.
> - View JAMESMailSessionHackTest source code. No SMTP host, user or
> password will be set to connect to the SMTP server (in our case JAMES).
> Because no SMTP host is set the default will be used and this is
> 'localhost'.
> - Run JAMESMailSessionHackTest as first argument you must specify an
> recipient email address.
> - Check if the recipient has received an email from 'jmsht@brainware.ch'
> with the subject:
> 'JAMESMailSessionHackTest....!!!!!!!!!!!!!!!!!!!'. In my
> case is it like that.
>
>
> JAMESMailSessionHackTest source code:
>
> import java.util.*;
>
> import javax.mail.*;
> import javax.mail.internet.*;
>
> /**
>  * This class gets the default mail session from JAMES
>  * and sends an email to specified recipient.
>  *
>  * @author  Michael Kaegi (kam@brainware.ch)
>  * @version 1.0
>  */
> public class JAMESMailSessionHackTest {
>
>     private Session session;
>
>     public static void main(String[] args) {
>
>         JAMESMailSessionHackTest jt = new JAMESMailSessionHackTest();
>         jt.getMailSession();
>         jt.sendMail(args[0]);
>     }
>
>     private void getMailSession() {
>
>         Properties props = new Properties();
>         session = Session.getDefaultInstance(props, null);
>     }
>
>     private void sendMail(String recipient) {
>
>         try {
>
>             System.out.println("Session mail.smtp.host: " +
> session.getProperty("mail.smtp.host"));
>             System.out.println("Session mail.user: " +
> session.getProperty("mail.user"));
>
>             MimeMessage mm = new MimeMessage(session);
>             mm.setFrom(new InternetAddress("jmsht@brainware.ch"));
>             mm.addRecipient(Message.RecipientType.TO, new
> InternetAddress(recipient));
>  mm.setSubject("JAMESMailSessionHackTest....!!!!!!!!!!!!!!!!!!!");
>             mm.setText("Suprise.");
>             Transport.send(mm);
>
>         } catch(Exception e) {
>
>             System.out.println("Exception: ");
>             System.out.println(e);
>             e.printStackTrace();
>         }
>     }
> }
>
>
>
> Question: Why you can get the JAMES default javax.mail.Session without a
> valid authentication? See JavaMail specification.
>
> Question: Why is the JAMES default javax.mail.Session not protected with
> an authentication?
>
> Question: Is this a JAMES Bug, Feature or?
>
>
> Thanx ?
>
> Bye
> Michi


--
To unsubscribe, e-mail:   <mailto:james-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:james-dev-help@jakarta.apache.org>


Mime
View raw message