You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by Michael Kaegi <ka...@brainware.ch> on 2002/03/11 17:08:53 UTC
RE: javax.mail.Session access protection (part IV),
... from scratch.
Test case:
It's the JAMES default javax.mail.Session secure? I think no!
Test environment:
OS: MS Windows 2000
JDK: 1.3
JAMES: James 2.0a2
Test description:
- Install and configure JAMES (only DNS must be set).
- Run JAMES.
- View JAMESMailSessionHackTest source code. No SMTP host, user or
password will be set to connect to the SMTP server (in our case JAMES).
Because no SMTP host is set the default will be used and this is
'localhost'.
- Run JAMESMailSessionHackTest as first argument you must specify an
recipient email address.
- Check if the recipient has received an email from 'jmsht@brainware.ch'
with the subject: 'JAMESMailSessionHackTest....!!!!!!!!!!!!!!!!!!!'. In my
case is it like that.
JAMESMailSessionHackTest source code:
import java.util.*;
import javax.mail.*;
import javax.mail.internet.*;
/**
* This class gets the default mail session from JAMES
* and sends an email to specified recipient.
*
* @author Michael Kaegi (kam@brainware.ch)
* @version 1.0
*/
public class JAMESMailSessionHackTest {
private Session session;
public static void main(String[] args) {
JAMESMailSessionHackTest jt = new JAMESMailSessionHackTest();
jt.getMailSession();
jt.sendMail(args[0]);
}
private void getMailSession() {
Properties props = new Properties();
session = Session.getDefaultInstance(props, null);
}
private void sendMail(String recipient) {
try {
System.out.println("Session mail.smtp.host: " +
session.getProperty("mail.smtp.host"));
System.out.println("Session mail.user: " +
session.getProperty("mail.user"));
MimeMessage mm = new MimeMessage(session);
mm.setFrom(new InternetAddress("jmsht@brainware.ch"));
mm.addRecipient(Message.RecipientType.TO, new
InternetAddress(recipient));
mm.setSubject("JAMESMailSessionHackTest....!!!!!!!!!!!!!!!!!!!");
mm.setText("Suprise.");
Transport.send(mm);
} catch(Exception e) {
System.out.println("Exception: ");
System.out.println(e);
e.printStackTrace();
}
}
}
Question: Why you can get the JAMES default javax.mail.Session without a
valid authentication? See JavaMail specification.
Question: Why is the JAMES default javax.mail.Session not protected with
an authentication?
Question: Is this a JAMES Bug, Feature or?
Thanx ?
Bye
Michi
Re: javax.mail.Session access protection (part IV),
Posted by Serge Knystautas <se...@lokitech.com>.
Look, you are making a series of incredibly wrong assumptions that
demonstrate no understanding of SMTP or the JavaMail API. Danny tried to
point out how this is wrong, but you seem to have ignored him.
Question: Why you can get the JAMES default javax.mail.Session without a
valid authentication? See JavaMail specification.
Answer: There is nothing related to JAMES in your code. You are sending a
message using SMTP, which requires no authentication. You are not accessing
or using anything that's contained within JAMES.
Question: Why is the JAMES default javax.mail.Session not protected with
an authentication?
Answer: There is nothing related to JAMES in your code. You have not
gained access to an object within James. You have no special
authentication, and do not require any authentication to instantiate an
object. You are not accessing or using anything that's contained within
JAMES.
Question: Is this a JAMES Bug, Feature or?
Answer: There is nothing related to JAMES in your code. You are not
accessing or using anything that's contained within JAMES.
If you don't believe me, run your tests using Exchange, sendmail, and any
other mail server you want, and you will see the identical behavior.
Serge Knystautas
Loki Technologies - Unstoppable Websites
http://www.lokitech.com/
----- Original Message -----
From: "Michael Kaegi" <ka...@brainware.ch>
To: <ja...@jakarta.apache.org>
Sent: Monday, March 11, 2002 11:08 AM
Subject: RE: javax.mail.Session access protection (part IV),
... from scratch.
Test case:
It's the JAMES default javax.mail.Session secure? I think no!
Test environment:
OS: MS Windows 2000
JDK: 1.3
JAMES: James 2.0a2
Test description:
- Install and configure JAMES (only DNS must be set).
- Run JAMES.
- View JAMESMailSessionHackTest source code. No SMTP host, user or
password will be set to connect to the SMTP server (in our case JAMES).
Because no SMTP host is set the default will be used and this is
'localhost'.
- Run JAMESMailSessionHackTest as first argument you must specify an
recipient email address.
- Check if the recipient has received an email from 'jmsht@brainware.ch'
with the subject: 'JAMESMailSessionHackTest....!!!!!!!!!!!!!!!!!!!'. In my
case is it like that.
JAMESMailSessionHackTest source code:
import java.util.*;
import javax.mail.*;
import javax.mail.internet.*;
/**
* This class gets the default mail session from JAMES
* and sends an email to specified recipient.
*
* @author Michael Kaegi (kam@brainware.ch)
* @version 1.0
*/
public class JAMESMailSessionHackTest {
private Session session;
public static void main(String[] args) {
JAMESMailSessionHackTest jt = new JAMESMailSessionHackTest();
jt.getMailSession();
jt.sendMail(args[0]);
}
private void getMailSession() {
Properties props = new Properties();
session = Session.getDefaultInstance(props, null);
}
private void sendMail(String recipient) {
try {
System.out.println("Session mail.smtp.host: " +
session.getProperty("mail.smtp.host"));
System.out.println("Session mail.user: " +
session.getProperty("mail.user"));
MimeMessage mm = new MimeMessage(session);
mm.setFrom(new InternetAddress("jmsht@brainware.ch"));
mm.addRecipient(Message.RecipientType.TO, new
InternetAddress(recipient));
mm.setSubject("JAMESMailSessionHackTest....!!!!!!!!!!!!!!!!!!!");
mm.setText("Suprise.");
Transport.send(mm);
} catch(Exception e) {
System.out.println("Exception: ");
System.out.println(e);
e.printStackTrace();
}
}
}
Thanx ?
Bye
Michi
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: javax.mail.Session access protection (part IV),
Posted by Danny Angus <da...@thought.co.uk>.
Hi,
I will explain once more why I think you are mistaken, perhaps you would
like to correct any misunderstanding I may have made, rather just than
re-iterating your initial assertion, which is getting us nowhere.
1/ your class is sending an email to James, using SMTP on localhost. James
is *supposed* to receive it, James is an SMTP mailserver.
2/ your class will not be running in the same jvm as james unless it is run
in the same instance of avalon.
3/ you have not demonstrated how any sensitive information is gained from
the default mail session.
d.
> -----Original Message-----
> From: Michael Kaegi [mailto:kam@brainware.ch]
> Sent: Monday, March 11, 2002 4:09 PM
> To: james-dev@jakarta.apache.org
> Subject: RE: javax.mail.Session access protection (part IV),
>
>
> ... from scratch.
>
>
> Test case:
>
> It's the JAMES default javax.mail.Session secure? I think no!
>
>
> Test environment:
>
> OS: MS Windows 2000
> JDK: 1.3
> JAMES: James 2.0a2
>
>
> Test description:
>
> - Install and configure JAMES (only DNS must be set).
> - Run JAMES.
> - View JAMESMailSessionHackTest source code. No SMTP host, user or
> password will be set to connect to the SMTP server (in our case JAMES).
> Because no SMTP host is set the default will be used and this is
> 'localhost'.
> - Run JAMESMailSessionHackTest as first argument you must specify an
> recipient email address.
> - Check if the recipient has received an email from 'jmsht@brainware.ch'
> with the subject:
> 'JAMESMailSessionHackTest....!!!!!!!!!!!!!!!!!!!'. In my
> case is it like that.
>
>
> JAMESMailSessionHackTest source code:
>
> import java.util.*;
>
> import javax.mail.*;
> import javax.mail.internet.*;
>
> /**
> * This class gets the default mail session from JAMES
> * and sends an email to specified recipient.
> *
> * @author Michael Kaegi (kam@brainware.ch)
> * @version 1.0
> */
> public class JAMESMailSessionHackTest {
>
> private Session session;
>
> public static void main(String[] args) {
>
> JAMESMailSessionHackTest jt = new JAMESMailSessionHackTest();
> jt.getMailSession();
> jt.sendMail(args[0]);
> }
>
> private void getMailSession() {
>
> Properties props = new Properties();
> session = Session.getDefaultInstance(props, null);
> }
>
> private void sendMail(String recipient) {
>
> try {
>
> System.out.println("Session mail.smtp.host: " +
> session.getProperty("mail.smtp.host"));
> System.out.println("Session mail.user: " +
> session.getProperty("mail.user"));
>
> MimeMessage mm = new MimeMessage(session);
> mm.setFrom(new InternetAddress("jmsht@brainware.ch"));
> mm.addRecipient(Message.RecipientType.TO, new
> InternetAddress(recipient));
> mm.setSubject("JAMESMailSessionHackTest....!!!!!!!!!!!!!!!!!!!");
> mm.setText("Suprise.");
> Transport.send(mm);
>
> } catch(Exception e) {
>
> System.out.println("Exception: ");
> System.out.println(e);
> e.printStackTrace();
> }
> }
> }
>
>
>
> Question: Why you can get the JAMES default javax.mail.Session without a
> valid authentication? See JavaMail specification.
>
> Question: Why is the JAMES default javax.mail.Session not protected with
> an authentication?
>
> Question: Is this a JAMES Bug, Feature or?
>
>
> Thanx ?
>
> Bye
> Michi
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>