axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Detelin Yordanov (JIRA)" <j...@apache.org>
Subject [jira] Commented: (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XSD Files
Date Thu, 26 Mar 2009 16:36:20 GMT

    [ https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12689538#action_12689538
] 

Detelin Yordanov commented on AXIS2-4279:
-----------------------------------------

Hi guys, 
    Don't you think that checking for .xsd extension is a way too restrictive? It is perfectly
possible that there are services out there, which import schemas with different file extension
(e.g. simply .xml). I would suggest the following restrictions to apply:

1. Allow access only to files under META-INF
2. Allow access only to imported schemas/wsdls, for this to work one just needs to verify
whether the file to load is imported from any of the AxisService schemas, or is contained
in AxisService's importedNamespaces (contains WSDL Imports).

What do you think?

Regards,
   Detelin

> Local File Inclusion Vulnerability on parsing WSDL related XSD Files
> --------------------------------------------------------------------
>
>                 Key: AXIS2-4279
>                 URL: https://issues.apache.org/jira/browse/AXIS2-4279
>             Project: Axis 2.0 (Axis2)
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.4.1
>         Environment: Tomcat 5.5
> Axis2 1.4.1
>            Reporter: Wolfram Kluge
>            Priority: Blocker
>             Fix For: 1.5
>
>
> Hello
> i dont know if it is a vulnerability or it is an issue of missconfiguration.
> The problem occur by doing the following things,
> http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml
> i was able to get these files displayed by the web browser. Once i tried this, 
> furthermore i was also able to get public and private keystore/truststore located in
the WEB-IN dir as well.
> So please let me know if it is a missconfiguration, and tell me how i can configure more
securely.
> If its a bug please let me also know!
> Thank you in advance!
> Wolfram

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message