| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Is this a MQ security risk? |
« View previous topic :: View next topic » |
| Author |
Message
|
| Monk |
 Posted: Wed Sep 09, 2009 4:28 am Post subject: Is this a MQ security risk? |
 |
|
Master
Joined: 21 Apr 2007
Posts: 282
|
Hi All,
I have a question related to MQ security.
Following is the scenario.
Assume i have a aix box running MQ v > 6.
i write a C application in which i open some queue and puts a message. Note here that when i open a queue i set in put options as "set Identity context" option.
Now i have a simple cluster like so.
QM1 and QM2 in "CLUSTER"
and i have defined a alias queue say "TEST.ALIAS" and this points to a cluster queue "TEST.CLQ" which is locally defined on QM2.
and on QM2 , i have a reciever channel TO.QM2 in which i have set PUTAUT(CTX) instead of default.
Now the C applications can set 'mqm' in the MQMD.userid field and put the message on alias queue "TEST.ALIAS" on QM1. ofcouse assuming i have given it connect and put permissions respectively.
According to documentation MQ should put the message on TEST.CLQ as "mqm"
is this correct?
and if so , isn't this is a security hole.
I have tried this on windows , and i was able to do this.
This led me to believe that setting PUTAUT(CTX) is a security risk.
Am I correct in my assumption or have I gone wrong somewhere.
Thanks
_________________
Thimk |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Sep 09, 2009 4:39 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Yes.
MQ requires specific tuning and careful planning to secure. And PUTAUT(CTX) is never a good idea.
But none of this is new. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Sep 09, 2009 4:40 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Please give me all your bank account details, including passwords. I shall then masquerade as you, because you have given me the authority to do so, and empty said bank account.
Do you think that would be a security risk?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Monk |
| Posted: Wed Sep 09, 2009 4:46 am Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
| Quote: |
Please give me all your bank account details, including passwords. I shall then masquerade as you, because you have given me the authority to do so, and empty said bank account.
Do you think that would be a security risk? |
So yes it is a security risk.
I just wanted to confirm.
_________________
Thimk |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
