axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Camilo Espitia Manrique (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AXIS2-5682) BUG - External Control of File Name or Path
Date Mon, 05 Jan 2015 22:37:35 GMT
David Camilo Espitia Manrique created AXIS2-5682:
----------------------------------------------------

             Summary: BUG - External Control of File Name or Path 
                 Key: AXIS2-5682
                 URL: https://issues.apache.org/jira/browse/AXIS2-5682
             Project: Axis2
          Issue Type: Bug
          Components: kernel
    Affects Versions: 1.6.2, 1.5.6
            Reporter: David Camilo Espitia Manrique
             Fix For: 1.5.6


We are currently using axis2-kernel-1.5.6.jar and the veracode analysis found this bug in
these class

1. DeploymentEngine.java (Line 381, 421, 469, 802, 816, 818)
2. DirectoryResourceLocation.java (Line 39)
3. HTTPWorker.java (Line 101 and 177)
4. ListingAgent.java (Line 123)
5. Utils.java (Line 650)
6. WarBasedWSDLLocator.java (Line 68)

Description of the bug:

This call contains a path manipulation flaw. The argument to the function is a filename constructed
using user-supplied
input. If an attacker is allowed to specify all or part of the filename, it may be possible
to gain unauthorized access to
files on the server, including those outside the webroot, that would be normally be inaccessible
to end users. The level
of exposure depends on the effectiveness of input validation routines, if any.

is this a false positive?

thanks.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message