[
https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12695671#action_12695671
]
Amila Chinthaka Suriarachchi commented on AXIS2-4279:
-----------------------------------------------------
Although I could not get the axis2.xml this worked for me
http://localhost:8085/axis2/services/Version?xsd=services.xml
Again people can write security polices in service.xml (for new SMTP transport
SMTP passwords are put into
services.xml file)
I think it is possible to get password call back class as well.
So as Jarek has mentioned we must restrict it for known extension types.
Only option to support other extension is to put a parameter to axis2.xml and
set it default only to xsd and wsdl. So that users can add
any other type if they think safe.
> Local File Inclusion Vulnerability on parsing WSDL related XSD Files
> --------------------------------------------------------------------
>
> Key: AXIS2-4279
> URL: https://issues.apache.org/jira/browse/AXIS2-4279
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: transports
> Affects Versions: 1.4.1
> Environment: Tomcat 5.5
> Axis2 1.4.1
> Reporter: Wolfram Kluge
> Priority: Blocker
> Fix For: 1.5
>
>
> Hello
> i dont know if it is a vulnerability or it is an issue of missconfiguration.
> The problem occur by doing the following things,
> http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml
> i was able to get these files displayed by the web browser. Once i tried
> this,
> furthermore i was also able to get public and private keystore/truststore
> located in the WEB-IN dir as well.
> So please let me know if it is a missconfiguration, and tell me how i can
> configure more securely.
> If its a bug please let me also know!
> Thank you in advance!
> Wolfram
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
