axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philip Lowman <phi...@yhbt.com>
Subject Question on vulnerable Xalan 2.7.0 being distributed with Axis2 1.7.3
Date Sat, 10 Sep 2016 14:12:36 GMT
Hi,
I noticed that Xalan version 2.7.0 is being distributed with the Axis2
1.7.3 binary release.

This version appears to have a rather serious security flaw which (if I am
understanding things properly) can allow remote code execution.  I guess
I'm wondering if this is exploitable via Axis somehow?

http://www.cvedetails.com/cve/CVE-2014-0107/
https://tools.cisco.com/security/center/viewAlert.x?alertId=34517

I've tried the approach indicated at ws-attacks below which I think is for
this vulnerability, but run into exceptions I don't understand (and I'm
also not a WS/XML/XSLT guru).

http://www.ws-attacks.org/XML_Signature_%E2%80%93_XSLT_Code_Execution
https://www.owasp.org/images/a/ae/OWASP_Switzerland_
Meeting_2015-06-17_XSLT_SSRF_ENG.pdf

Thanks!

-- 
Philip Lowman

Mime
View raw message