axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Amila Chinthaka Suriarachchi (JIRA)" <>
Subject [jira] Commented: (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XSD Files
Date Fri, 03 Apr 2009 17:02:13 GMT


Amila Chinthaka Suriarachchi commented on AXIS2-4279:

Is this occur in linux as well?

According to the given description the isn't following url should show the axis2.xml?


Can't we fix this issue by checking for "../" in the query?

> Local File Inclusion Vulnerability on parsing WSDL related XSD Files
> --------------------------------------------------------------------
>                 Key: AXIS2-4279
>                 URL:
>             Project: Axis 2.0 (Axis2)
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.4.1
>         Environment: Tomcat 5.5
> Axis2 1.4.1
>            Reporter: Wolfram Kluge
>            Priority: Blocker
>             Fix For: 1.5
> Hello
> i dont know if it is a vulnerability or it is an issue of missconfiguration.
> The problem occur by doing the following things,
> http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml
> i was able to get these files displayed by the web browser. Once i tried this, 
> furthermore i was also able to get public and private keystore/truststore located in
the WEB-IN dir as well.
> So please let me know if it is a missconfiguration, and tell me how i can configure more
> If its a bug please let me also know!
> Thank you in advance!
> Wolfram

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message