[jira] Commented: (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XSD Files

Thu, 26 Mar 2009 12:07:17 -0700 

    [ 
https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12689596#action_12689596
 ] 

Jarek Gawor commented on AXIS2-4279:
------------------------------------

Detelin,

I don't. I think we should restrict what types of files can be served using 
?xsd or ?wsdl2. And we can't also allow any files to be served from within the 
META-INF. That's a classloader lookup so technically anything within META-INF 
anywhere in the classloader could be served, so we need to restrict it somehow. 
I chose to restrict it based on the file extension.

Item 2 you mentioned is already how things work for ?xsd. That is, it looks for 
schemas in a map first (this map is based on the service referenced wsdl/schema 
files) but if it fails it falls back to this classloader lookup. That's why my 
initial reaction was to remove this fallback code but at the end I decided to 
keep and patch it, in case somebody is actually relying on that.  I figured it 
was added for a reason.

The ?wsdl2 also has this classloader lookup but it's the only means of getting 
named wsdl2 files. So we would need a new solution for that if we were to 
remove the classloader lookup code.


> Local File Inclusion Vulnerability on parsing WSDL related XSD Files
> --------------------------------------------------------------------
>
>                 Key: AXIS2-4279
>                 URL: https://issues.apache.org/jira/browse/AXIS2-4279
>             Project: Axis 2.0 (Axis2)
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.4.1
>         Environment: Tomcat 5.5
> Axis2 1.4.1
>            Reporter: Wolfram Kluge
>            Priority: Blocker
>             Fix For: 1.5
>
>
> Hello
> i dont know if it is a vulnerability or it is an issue of missconfiguration.
> The problem occur by doing the following things,
> http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml
> i was able to get these files displayed by the web browser. Once i tried 
> this, 
> furthermore i was also able to get public and private keystore/truststore 
> located in the WEB-IN dir as well.
> So please let me know if it is a missconfiguration, and tell me how i can 
> configure more securely.
> If its a bug please let me also know!
> Thank you in advance!
> Wolfram

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to