axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <>
Subject [jira] [Commented] (AXIS2-5846) Local file inclusion vulnerability in SimpleHTTPServer
Date Sun, 23 Apr 2017 12:47:04 GMT


Hudson commented on AXIS2-5846:

UNSTABLE: Integrated in Jenkins build Axis2 #3688 (See [])
AXIS2-5846: Fix a local file inclusion vulnerability in SimpleHTTPServer. This occurs because adds the root directory of the binary distribution to the class path, and SimpleHTTPServer
doesn't limit the search for XSD/WSDL files to the service class loader. This means that axis2.xml
is accessible remotely via a specially crafted query string (xsd=../conf/axis2.xml).

Although AxisServlet is not known to be vulnerable, this change also modifies ListingAgent
to limit the search to the service class loader. (veithen: rev 1792353)
* (edit) axis2/modules/transport/http/src/org/apache/axis2/transport/http/
* (edit) axis2/modules/transport/http/src/org/apache/axis2/transport/http/
* (edit) axis2/modules/transport/http/src/org/apache/axis2/transport/http/

> Local file inclusion vulnerability in SimpleHTTPServer
> ------------------------------------------------------
>                 Key: AXIS2-5846
>                 URL:
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.6.2, 1.7.4
>            Reporter: Nupur
> Defect CSCvd86595: Local file inclusion vulnerability in Axis2 
> An defect has been raised on Present PCP 7.3 axis version 
> *There is a Local File Inclusion (LFI) present in the Axis2 service. It 
>   allows the attacker to view certain files that would normally be inaccessible. This
is a violation of PSB requirement SEC-SUP-PATCH because this is a publicly disclosed vulnerability
with a patch. 
> *security impact: Some of the files that are accessible via this LFI contain the username
and password to the Axis2 admin interface. While the admin interface appears to be disabled
currently, if it was ever enabled or an attacker found a way to access it, they would gain
admin access to the Axis2 system. 
> In addition, this vulnerability is publicly known, which makes it more likely to be exploited
by an attacker. 

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message