Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-1272

Stomp protocol does not correctly check authentication (security hole)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 5.0.0
    • 5.x
    • Broker
    • None

    • 4.2-SNAPSHOT

    Description

      ActiveMQ does not correctly validate the username and password of Stomp clients. A security exception is generated, but ignored, leaving the client connected, and with full and unrestricted access to ActiveMQ.

      Further description, and a partial patch:

      http://www.nabble.com/Getting-Stomp-support-to-a-usable-state...-tf3858629s2354.html#a11060452

      BTW, while the patch in the above post, is crude, however, leaving unauthenticated users connected with full-access makes ActiveMQ and Stomp pretty unusable. So please apply the path, rather than do nothing.

      Attachments

        1. stomp.diff
          2 kB
          Tom Samplonius
        2. stomp-auth.patch
          20 kB
          Dejan Bosanac
        3. AMQ1272-stomp-auth-v412.patch
          18 kB
          Donald Woods

        Issue Links

          is depended upon by

          New Feature - A new feature of the product, which has yet to be developed. AMQ-998 add support for stomp+ssl

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              tom@samplonius.org Tom Samplonius
              Votes:
              2 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: