Issue Details (XML | Word | Printable)

Key: AMQ-1272
Type: Bug Bug
Status: Reopened Reopened
Priority: Major Major
Assignee: Unassigned
Reporter: Tom Samplonius
Votes: 1
Watchers: 2
Operations

If you were logged in you would be able to see more operations.
ActiveMQ

Stomp protocol does not correctly check authentication (security hole)

Created: 11/Jun/07 11:25 PM   Updated: 04/Sep/09 11:52 AM
Return to search
Component/s: Broker
Affects Version/s: 5.0.0
Fix Version/s: 5.4.0

Time Tracking:
Not Specified

File Attachments:
  File Name Date Attached Attached By Size
Text File Licensed for inclusion in ASF works AMQ1272-stomp-auth-v412.patch 2008-08-25 06:39 AM Donald Woods 18 kB
Text File Licensed for inclusion in ASF works stomp-auth.patch 2007-12-16 12:12 PM Dejan Bosanac 20 kB
File Licensed for inclusion in ASF works stomp.diff 2007-06-23 11:02 PM Tom Samplonius 2 kB
Environment: 4.2-SNAPSHOT
Issue Links:
dependent
 


 Description  « Hide
ActiveMQ does not correctly validate the username and password of Stomp clients. A security exception is generated, but ignored, leaving the client connected, and with full and unrestricted access to ActiveMQ.

Further description, and a partial patch:

http://www.nabble.com/Getting-Stomp-support-to-a-usable-state...-tf3858629s2354.html#a11060452

BTW, while the patch in the above post, is crude, however, leaving unauthenticated users connected with full-access makes ActiveMQ and Stomp pretty unusable. So please apply the path, rather than do nothing.

 All   Comments   Work Log   Change History   Subversion Commits   FishEye   Crucible      Sort Order: Ascending order - Click to sort in descending order
James Strachan made changes - 12/Jun/07 02:48 AM
Field Original Value New Value
Affects Version/s 5.0.0 [ 11712 ]
Tom Samplonius made changes - 23/Jun/07 11:02 PM
Attachment stomp.diff [ 15548 ]
Rob Davies made changes - 23/Jul/07 05:16 AM
Priority Blocker [ 1 ] Major [ 3 ]
Rob Davies made changes - 19/Aug/07 10:43 PM
Fix Version/s 4.1.2 [ 11801 ]
Fix Version/s 5.1.0 [ 11802 ]
Fix Version/s 5.0.0 [ 11712 ]
Dejan Bosanac made changes - 16/Dec/07 12:12 PM
Attachment stomp-auth.patch [ 15984 ]
Dejan Bosanac made changes - 16/Dec/07 12:13 PM
Link This issue is depended upon by AMQ-998 [ AMQ-998 ]
Hiram Chirino made changes - 20/Dec/07 06:39 AM
Status Open [ 1 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]
Donald Woods made changes - 25/Aug/08 06:31 AM
Status Resolved [ 5 ] Reopened [ 4 ]
Resolution Fixed [ 1 ]
Donald Woods made changes - 25/Aug/08 06:39 AM
Attachment AMQ1272-stomp-auth-v412.patch [ 16904 ]
Rob Davies made changes - 10/Sep/08 05:11 AM
Fix Version/s 5.1.0 [ 11802 ]
Fix Version/s 5.3.0 [ 11914 ]
Gary Tully made changes - 25/Jun/09 02:22 AM
Fix Version/s 5.3.0 [ 11914 ]
Fix Version/s 4.1.3 [ 11901 ]
Rob Davies made changes - 04/Sep/09 11:52 AM
Fix Version/s 4.1.3 [ 11901 ]
Fix Version/s 5.4.0 [ 12110 ]

Powered by a free Atlassian JIRA open source license for Apache Software Foundation - ActiveMQ. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators