axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jarek Gawor (JIRA)" <j...@apache.org>
Subject [jira] Issue Comment Edited: (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XYD Files
Date Sun, 22 Mar 2009 16:55:50 GMT

    [ https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688150#action_12688150
] 

Jarek Gawor edited comment on AXIS2-4279 at 3/22/09 9:54 AM:
-------------------------------------------------------------

Ok, thanks. I can replicate now with 1.4.1. In 1.4.1 you can access any file within webapps/axis2
directory but in trunk or branches/2.1 you can access any file on the file system (on Windows).



      was (Author: gawor@mcs.anl.gov):
    Ok, thanks. I can replicate now with 1.4.1. In 1.4.1 you can access any file within webapps/axis2
directory but in trunk or branches/2.1 you can access any file on the file system.

  
> Local File Inclusion Vulnerability on parsing WSDL related XYD Files
> --------------------------------------------------------------------
>
>                 Key: AXIS2-4279
>                 URL: https://issues.apache.org/jira/browse/AXIS2-4279
>             Project: Axis 2.0 (Axis2)
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.4.1
>         Environment: Tomcat 5.5
> Axis2 1.4.1
>            Reporter: Wolfram Kluge
>            Priority: Blocker
>             Fix For: 1.5
>
>
> Hello
> i dont know if it is a vulnerability or it is an issue of missconfiguration.
> The problem occur by doing the following things,
> http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml
> i was able to get these files displayed by the web browser. Once i tried this, 
> furthermore i was also able to get public and private keystore/truststore located in
the WEB-IN dir as well.
> So please let me know if it is a missconfiguration, and tell me how i can configure more
securely.
> If its a bug please let me also know!
> Thank you in advance!
> Wolfram

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message