[jira] Commented: (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XYD Files
[ https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688205#action_12688205 ] Jarek Gawor commented on AXIS2-4279: I fixed the problem in trunk and branches/java/1_5 that allowed access to any files on the file system (see AXIS2-4282). So, now trunk and branches/java/1_5 behaves and has same problem as in Axis2 1.4.1. > Local File Inclusion Vulnerability on parsing WSDL related XYD Files > > > Key: AXIS2-4279 > URL: https://issues.apache.org/jira/browse/AXIS2-4279 > Project: Axis 2.0 (Axis2) > Issue Type: Bug > Components: transports >Affects Versions: 1.4.1 > Environment: Tomcat 5.5 > Axis2 1.4.1 >Reporter: Wolfram Kluge >Priority: Blocker > Fix For: 1.5 > > > Hello > i dont know if it is a vulnerability or it is an issue of missconfiguration. > The problem occur by doing the following things, > http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml > i was able to get these files displayed by the web browser. Once i tried > this, > furthermore i was also able to get public and private keystore/truststore > located in the WEB-IN dir as well. > So please let me know if it is a missconfiguration, and tell me how i can > configure more securely. > If its a bug please let me also know! > Thank you in advance! > Wolfram -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XYD Files
[ https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688150#action_12688150 ] Jarek Gawor commented on AXIS2-4279: Ok, thanks. I can replicate now with 1.4.1. In 1.4.1 you can access any file within webapps/axis2 directory but in trunk or branches/2.1 you can access any file on the file system. > Local File Inclusion Vulnerability on parsing WSDL related XYD Files > > > Key: AXIS2-4279 > URL: https://issues.apache.org/jira/browse/AXIS2-4279 > Project: Axis 2.0 (Axis2) > Issue Type: Bug > Components: transports >Affects Versions: 1.4.1 > Environment: Tomcat 5.5 > Axis2 1.4.1 >Reporter: Wolfram Kluge >Priority: Blocker > Fix For: 1.5 > > > Hello > i dont know if it is a vulnerability or it is an issue of missconfiguration. > The problem occur by doing the following things, > http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml > i was able to get these files displayed by the web browser. Once i tried > this, > furthermore i was also able to get public and private keystore/truststore > located in the WEB-IN dir as well. > So please let me know if it is a missconfiguration, and tell me how i can > configure more securely. > If its a bug please let me also know! > Thank you in advance! > Wolfram -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XYD Files
[ https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688125#action_12688125 ] Andreas Veithen commented on AXIS2-4279: I think that the root cause of this problem is a change in r470928 [1] that passes the value of the xsd parameter directly to getResourceAsStream. This is of course not good, because it allows anybody to read any resource. The change was done just before the 1.1 release and was related to AXIS2-1556. Note that in the meantime the code has been moved to AxisService#printXSD. [1] http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_1/modules/kernel/src/org/apache/axis2/transport/http/ListingAgent.java?r1=453185&r2=470928&pathrev=470928 > Local File Inclusion Vulnerability on parsing WSDL related XYD Files > > > Key: AXIS2-4279 > URL: https://issues.apache.org/jira/browse/AXIS2-4279 > Project: Axis 2.0 (Axis2) > Issue Type: Bug > Components: transports >Affects Versions: 1.4.1 > Environment: Tomcat 5.5 > Axis2 1.4.1 >Reporter: Wolfram Kluge >Priority: Blocker > Fix For: 1.5 > > > Hello > i dont know if it is a vulnerability or it is an issue of missconfiguration. > The problem occur by doing the following things, > http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml > i was able to get these files displayed by the web browser. Once i tried > this, > furthermore i was also able to get public and private keystore/truststore > located in the WEB-IN dir as well. > So please let me know if it is a missconfiguration, and tell me how i can > configure more securely. > If its a bug please let me also know! > Thank you in advance! > Wolfram -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XYD Files
[ https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688120#action_12688120 ] Wolfram Kluge commented on AXIS2-4279: -- Well, sorry for less description. Environment: OS: Windows XP SP3 JAVA: v1.6 Server: Tomcat 5.5 Axis2: WAR-File Distribution My steps to reproduce this issue. Tomcat was downloaded and installled on a windows system. Since the server started successfull we put the WAR file in webapps dir. Till now connecting to axis2 interface was possible. Furthermore we setup Eclipse and build a simple Web Service containig nothing more then one class without any content. We build the web service within the IDE and exported it as WAR. Next we deployed our useless web service in same procedure as the axis2 war file. Since we got the wsdl oft the web service displayed we tried to execute attack vector shown above. I cant believe that these issue is allready know because there are so many servers out there which vulnerable against these vector. Is there a CVE-ID in place? > Local File Inclusion Vulnerability on parsing WSDL related XYD Files > > > Key: AXIS2-4279 > URL: https://issues.apache.org/jira/browse/AXIS2-4279 > Project: Axis 2.0 (Axis2) > Issue Type: Bug > Components: transports >Affects Versions: 1.4.1 > Environment: Tomcat 5.5 > Axis2 1.4.1 >Reporter: Wolfram Kluge >Priority: Blocker > Fix For: 1.5 > > > Hello > i dont know if it is a vulnerability or it is an issue of missconfiguration. > The problem occur by doing the following things, > http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml > i was able to get these files displayed by the web browser. Once i tried > this, > furthermore i was also able to get public and private keystore/truststore > located in the WEB-IN dir as well. > So please let me know if it is a missconfiguration, and tell me how i can > configure more securely. > If its a bug please let me also know! > Thank you in advance! > Wolfram -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XYD Files
[ https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688100#action_12688100 ] Jarek Gawor commented on AXIS2-4279: I see this problem in trunk and branches/1_5 but not with 1.4.1. Wolfram, can you explain in more detail your setup (OS, web container, etc.)? > Local File Inclusion Vulnerability on parsing WSDL related XYD Files > > > Key: AXIS2-4279 > URL: https://issues.apache.org/jira/browse/AXIS2-4279 > Project: Axis 2.0 (Axis2) > Issue Type: Bug > Components: transports >Affects Versions: 1.4.1 > Environment: Tomcat 5.5 > Axis2 1.4.1 >Reporter: Wolfram Kluge >Priority: Blocker > Fix For: 1.5 > > > Hello > i dont know if it is a vulnerability or it is an issue of missconfiguration. > The problem occur by doing the following things, > http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml > i was able to get these files displayed by the web browser. Once i tried > this, > furthermore i was also able to get public and private keystore/truststore > located in the WEB-IN dir as well. > So please let me know if it is a missconfiguration, and tell me how i can > configure more securely. > If its a bug please let me also know! > Thank you in advance! > Wolfram -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.