Return-Path: Delivered-To: apmail-ws-axis-dev-archive@www.apache.org Received: (qmail 67814 invoked from network); 26 Mar 2009 16:42:58 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 26 Mar 2009 16:42:58 -0000 Received: (qmail 11473 invoked by uid 500); 26 Mar 2009 16:36:44 -0000 Delivered-To: apmail-ws-axis-dev-archive@ws.apache.org Received: (qmail 11389 invoked by uid 500); 26 Mar 2009 16:36:44 -0000 Mailing-List: contact axis-dev-help@ws.apache.org; run by ezmlm Precedence: bulk Reply-To: axis-dev@ws.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list axis-dev@ws.apache.org Received: (qmail 11004 invoked by uid 99); 26 Mar 2009 16:36:42 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 26 Mar 2009 16:36:42 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 26 Mar 2009 16:36:41 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id E9827234C04C for ; Thu, 26 Mar 2009 09:36:20 -0700 (PDT) Message-ID: <807890261.1238085380955.JavaMail.jira@brutus> Date: Thu, 26 Mar 2009 09:36:20 -0700 (PDT) From: "Detelin Yordanov (JIRA)" To: axis-dev@ws.apache.org Subject: [jira] Commented: (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XSD Files In-Reply-To: <319873329.1237596770614.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12689538#action_12689538 ] Detelin Yordanov commented on AXIS2-4279: ----------------------------------------- Hi guys, Don't you think that checking for .xsd extension is a way too restrictive? It is perfectly possible that there are services out there, which import schemas with different file extension (e.g. simply .xml). I would suggest the following restrictions to apply: 1. Allow access only to files under META-INF 2. Allow access only to imported schemas/wsdls, for this to work one just needs to verify whether the file to load is imported from any of the AxisService schemas, or is contained in AxisService's importedNamespaces (contains WSDL Imports). What do you think? Regards, Detelin > Local File Inclusion Vulnerability on parsing WSDL related XSD Files > -------------------------------------------------------------------- > > Key: AXIS2-4279 > URL: https://issues.apache.org/jira/browse/AXIS2-4279 > Project: Axis 2.0 (Axis2) > Issue Type: Bug > Components: transports > Affects Versions: 1.4.1 > Environment: Tomcat 5.5 > Axis2 1.4.1 > Reporter: Wolfram Kluge > Priority: Blocker > Fix For: 1.5 > > > Hello > i dont know if it is a vulnerability or it is an issue of missconfiguration. > The problem occur by doing the following things, > http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml > i was able to get these files displayed by the web browser. Once i tried this, > furthermore i was also able to get public and private keystore/truststore located in the WEB-IN dir as well. > So please let me know if it is a missconfiguration, and tell me how i can configure more securely. > If its a bug please let me also know! > Thank you in advance! > Wolfram -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.