Issue Details (XML | Word | Printable)

Key: AMQ-1272
Type: Bug Bug
Status: Reopened Reopened
Priority: Major Major
Assignee: Unassigned
Reporter: Tom Samplonius
Votes: 2
Watchers: 2
Operations

If you were logged in you would be able to see more operations.
ActiveMQ

Stomp protocol does not correctly check authentication (security hole)

Created: 11/Jun/07 11:25 PM   Updated: 04/Sep/09 11:52 AM
Return to search
Component/s: Broker
Affects Version/s: 5.0.0
Fix Version/s: 5.4.0

Time Tracking:
Not Specified

File Attachments:
  File Name Date Attached Attached By Size
Text File Licensed for inclusion in ASF works AMQ1272-stomp-auth-v412.patch 2008-08-25 06:39 AM Donald Woods 18 kB
Text File Licensed for inclusion in ASF works stomp-auth.patch 2007-12-16 12:12 PM Dejan Bosanac 20 kB
File Licensed for inclusion in ASF works stomp.diff 2007-06-23 11:02 PM Tom Samplonius 2 kB
Environment: 4.2-SNAPSHOT
Issue Links:
dependent
 


 Description  « Hide
ActiveMQ does not correctly validate the username and password of Stomp clients. A security exception is generated, but ignored, leaving the client connected, and with full and unrestricted access to ActiveMQ.

Further description, and a partial patch:

http://www.nabble.com/Getting-Stomp-support-to-a-usable-state...-tf3858629s2354.html#a11060452

BTW, while the patch in the above post, is crude, however, leaving unauthenticated users connected with full-access makes ActiveMQ and Stomp pretty unusable. So please apply the path, rather than do nothing.

 All   Comments   Work Log   Change History   Subversion Commits   FishEye   Crucible      Sort Order: Ascending order - Click to sort in descending order

Powered by a free Atlassian JIRA open source license for Apache Software Foundation - ActiveMQ. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators