ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (Closed) (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (WSS-98) Security Vurnability: Plaintext Usertoken Profile
Date Mon, 03 Oct 2011 09:04:36 GMT

     [ https://issues.apache.org/jira/browse/WSS-98?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh closed WSS-98.
----------------------------------

    
> Security Vurnability: Plaintext Usertoken Profile
> -------------------------------------------------
>
>                 Key: WSS-98
>                 URL: https://issues.apache.org/jira/browse/WSS-98
>             Project: WSS4J
>          Issue Type: Bug
>         Environment: Apache Axis 1.4 + WSS4J 1.5.3 
>            Reporter: Kenny Moens
>            Assignee: Fred Dushin
>            Priority: Critical
>         Attachments: plaintext_security_leak.diff
>
>
> When the username and passwords are passed without digest, no password check is performed.
> This can easily reproduced with the following SOAP Request::
>       <wsse:UsernameToken>
>         <wsse:Username>foo</wsse:Username>
>         <wsse:Password>bar</wsse:Password>
>       </wsse:UsernameToken>
> When looking at the source code the password is in this case never checked. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message