David Camilo Espitia Manrique created AXIS2-5682:
----------------------------------------------------
Summary: BUG - External Control of File Name or Path
Key: AXIS2-5682
URL: https://issues.apache.org/jira/browse/AXIS2-5682
Project: Axis2
Issue Type: Bug
Components: kernel
Affects Versions: 1.6.2, 1.5.6
Reporter: David Camilo Espitia Manrique
Fix For: 1.5.6
We are currently using axis2-kernel-1.5.6.jar and the veracode analysis found
this bug in these class
1. DeploymentEngine.java (Line 381, 421, 469, 802, 816, 818)
2. DirectoryResourceLocation.java (Line 39)
3. HTTPWorker.java (Line 101 and 177)
4. ListingAgent.java (Line 123)
5. Utils.java (Line 650)
6. WarBasedWSDLLocator.java (Line 68)
Description of the bug:
This call contains a path manipulation flaw. The argument to the function is a
filename constructed using user-supplied
input. If an attacker is allowed to specify all or part of the filename, it may
be possible to gain unauthorized access to
files on the server, including those outside the webroot, that would be
normally be inaccessible to end users. The level
of exposure depends on the effectiveness of input validation routines, if any.
is this a false positive?
thanks.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
