axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Amila Chinthaka Suriarachchi (JIRA)" <j...@apache.org>
Subject [jira] Commented: (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XSD Files
Date Sat, 04 Apr 2009 04:36:13 GMT

    [ https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12695671#action_12695671
] 

Amila Chinthaka Suriarachchi commented on AXIS2-4279:
-----------------------------------------------------

Although I could not get the axis2.xml this worked for me

http://localhost:8085/axis2/services/Version?xsd=services.xml

Again people can write security polices in service.xml (for new SMTP transport SMTP passwords
are put into
services.xml file)

I think it is possible to get password call back class as well.

So as Jarek has mentioned we must restrict it for known extension types. 
Only option to support other extension is to put a parameter to axis2.xml and set it default
only to xsd and wsdl. So that users can add
any other type if they think safe.

> Local File Inclusion Vulnerability on parsing WSDL related XSD Files
> --------------------------------------------------------------------
>
>                 Key: AXIS2-4279
>                 URL: https://issues.apache.org/jira/browse/AXIS2-4279
>             Project: Axis 2.0 (Axis2)
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.4.1
>         Environment: Tomcat 5.5
> Axis2 1.4.1
>            Reporter: Wolfram Kluge
>            Priority: Blocker
>             Fix For: 1.5
>
>
> Hello
> i dont know if it is a vulnerability or it is an issue of missconfiguration.
> The problem occur by doing the following things,
> http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml
> i was able to get these files displayed by the web browser. Once i tried this, 
> furthermore i was also able to get public and private keystore/truststore located in
the WEB-IN dir as well.
> So please let me know if it is a missconfiguration, and tell me how i can configure more
securely.
> If its a bug please let me also know!
> Thank you in advance!
> Wolfram

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message