[
https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688150#action_12688150
]
Jarek Gawor edited comment on AXIS2-4279 at 3/22/09 9:54 AM:
-------------------------------------------------------------
Ok, thanks. I can replicate now with 1.4.1. In 1.4.1 you can access any file
within webapps/axis2 directory but in trunk or branches/2.1 you can access any
file on the file system (on Windows).
was (Author: ga...@mcs.anl.gov):
Ok, thanks. I can replicate now with 1.4.1. In 1.4.1 you can access any
file within webapps/axis2 directory but in trunk or branches/2.1 you can access
any file on the file system.
> Local File Inclusion Vulnerability on parsing WSDL related XYD Files
> --------------------------------------------------------------------
>
> Key: AXIS2-4279
> URL: https://issues.apache.org/jira/browse/AXIS2-4279
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: transports
> Affects Versions: 1.4.1
> Environment: Tomcat 5.5
> Axis2 1.4.1
> Reporter: Wolfram Kluge
> Priority: Blocker
> Fix For: 1.5
>
>
> Hello
> i dont know if it is a vulnerability or it is an issue of missconfiguration.
> The problem occur by doing the following things,
> http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml
> i was able to get these files displayed by the web browser. Once i tried
> this,
> furthermore i was also able to get public and private keystore/truststore
> located in the WEB-IN dir as well.
> So please let me know if it is a missconfiguration, and tell me how i can
> configure more securely.
> If its a bug please let me also know!
> Thank you in advance!
> Wolfram
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
