[ https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688150#action_12688150 ]
Jarek Gawor edited comment on AXIS2-4279 at 3/22/09 8:43 PM: ------------------------------------------------------------- Ok, thanks. I can replicate now with 1.4.1. In 1.4.1 you can access any file within webapps/axis2 directory but in trunk or branches/java/1_5 you can access any file on the file system (on Windows). was (Author: ga...@mcs.anl.gov): Ok, thanks. I can replicate now with 1.4.1. In 1.4.1 you can access any file within webapps/axis2 directory but in trunk or branches/2.1 you can access any file on the file system (on Windows). > Local File Inclusion Vulnerability on parsing WSDL related XYD Files > -------------------------------------------------------------------- > > Key: AXIS2-4279 > URL: https://issues.apache.org/jira/browse/AXIS2-4279 > Project: Axis 2.0 (Axis2) > Issue Type: Bug > Components: transports > Affects Versions: 1.4.1 > Environment: Tomcat 5.5 > Axis2 1.4.1 > Reporter: Wolfram Kluge > Priority: Blocker > Fix For: 1.5 > > > Hello > i dont know if it is a vulnerability or it is an issue of missconfiguration. > The problem occur by doing the following things, > http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml > i was able to get these files displayed by the web browser. Once i tried > this, > furthermore i was also able to get public and private keystore/truststore > located in the WEB-IN dir as well. > So please let me know if it is a missconfiguration, and tell me how i can > configure more securely. > If its a bug please let me also know! > Thank you in advance! > Wolfram -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.