Uploaded image for project: 'ActiveMQ'
  1. ActiveMQ
  2. AMQ-1272

Stomp protocol does not correctly check authentication (security hole)

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.0.0
    • Fix Version/s: 5.x
    • Component/s: Broker
    • Labels:
      None
    • Environment:

      4.2-SNAPSHOT

      Description

      ActiveMQ does not correctly validate the username and password of Stomp clients. A security exception is generated, but ignored, leaving the client connected, and with full and unrestricted access to ActiveMQ.

      Further description, and a partial patch:

      http://www.nabble.com/Getting-Stomp-support-to-a-usable-state...-tf3858629s2354.html#a11060452

      BTW, while the patch in the above post, is crude, however, leaving unauthenticated users connected with full-access makes ActiveMQ and Stomp pretty unusable. So please apply the path, rather than do nothing.

        Attachments

        1. AMQ1272-stomp-auth-v412.patch
          18 kB
          Donald Woods
        2. stomp-auth.patch
          20 kB
          Dejan Bosanac
        3. stomp.diff
          2 kB
          Tom Samplonius

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                tom@samplonius.org Tom Samplonius
              • Votes:
                2 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: