Because the program fails to enable authentication when connecting to MSMQ queues, an attacker can anonymously submit messages to the queue for processing.
If authentication is not used to connect to an MSMQ queue used to deliver a message to another program, an attacker could submit an anonymous message that is malicious.
Example 1: The <netMsmqBinding/>
element of the WCF configuration file below instructs WCF to disable authentication when connecting to an MSMQ queue for message delivery.
<bindings>
<netMsmqBinding>
<binding>
<security>
<transport msmqAuthenticationMode="None" />
</security>
</binding>
</netMsmqBinding>
</bindings>
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A3 Broken Authentication and Session Management
[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A3 Broken Authentication and Session Management
[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A7 Broken Authentication and Session Management
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3480.2 CAT II
[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 285
[6] Standards Mapping - FIPS200 - (FISMA) IA
[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication
[8] Microsoft Developer Network (MSDN)
[9] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Porous Defenses - CWE ID 285
[10] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Porous Defenses - CWE ID 285
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.3, Requirement 7.2
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.7, Requirement 7.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8, Requirement 7.2