[jira] Commented: (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XYD Files

Sun, 22 Mar 2009 04:24:17 -0700 

    [ 
https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688120#action_12688120
 ] 

Wolfram Kluge commented on AXIS2-4279:
--------------------------------------

Well, sorry for less description.

Environment:

OS: Windows XP SP3
JAVA: v1.6
Server: Tomcat 5.5
Axis2: WAR-File Distribution

My steps to reproduce this issue.

Tomcat was downloaded and installled on a windows system. Since the server 
started successfull we put the WAR file
in webapps dir. Till now connecting to axis2 interface was possible. 
Furthermore we setup Eclipse and build a simple 
Web Service containig nothing more then one class without any content. We build 
the web service within the IDE and exported it as WAR.  Next we deployed our 
useless web service in same procedure as the axis2 war file.

Since we got the wsdl oft the web service displayed we tried to execute attack 
vector shown above. I cant believe that these issue is allready know because 
there are so many servers out there which vulnerable against these vector.

Is there  a CVE-ID in place?


> Local File Inclusion Vulnerability on parsing WSDL related XYD Files
> --------------------------------------------------------------------
>
>                 Key: AXIS2-4279
>                 URL: https://issues.apache.org/jira/browse/AXIS2-4279
>             Project: Axis 2.0 (Axis2)
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.4.1
>         Environment: Tomcat 5.5
> Axis2 1.4.1
>            Reporter: Wolfram Kluge
>            Priority: Blocker
>             Fix For: 1.5
>
>
> Hello
> i dont know if it is a vulnerability or it is an issue of missconfiguration.
> The problem occur by doing the following things,
> http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml
> i was able to get these files displayed by the web browser. Once i tried 
> this, 
> furthermore i was also able to get public and private keystore/truststore 
> located in the WEB-IN dir as well.
> So please let me know if it is a missconfiguration, and tell me how i can 
> configure more securely.
> If its a bug please let me also know!
> Thank you in advance!
> Wolfram

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to