[
https://issues.apache.org/jira/browse/WSS-70?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12516402
]
Chad DeBauch commented on WSS-70:
---------------------------------
This is not issue if there is no security sent in the header because an
exception will be thrown before this method gets called.
That said there is a major security hole the way the method stands. If you
have a service that requires UsernameToken and Digital Signature, and the
client sends just UsernameToken the for loop in that method will only verify
the UsernameToken and not check the Signature, thus by passing Digital
Signature. I created a client and a service that proves this security hole.
The fix to this issue is simple just uncomment the the following code in the
method:
// if (size != resultActions) {
// throw new AxisFault(
// "WSDoAllReceiver: security processing failed (actions number
// mismatch)");
// }
> WSHandler checkReceiverResults causes security problem
> ------------------------------------------------------
>
> Key: WSS-70
> URL: https://issues.apache.org/jira/browse/WSS-70
> Project: WSS4J
> Issue Type: Bug
> Reporter: Gürkan Vural
> Assignee: Davanum Srinivas
> Priority: Critical
>
> In WSS4J 1.1.0 in WSDoAllReceiver there is a check of security actions
> which also checks the size of actions. However this part is moved in
> WSS4J 1.5 to WSHandler.java using checkReceiverResults function and
> action size check is commented out. However the checking for loop is
> controled against the size of actions received in the SOAP message. This
> cause a security problem when an empty security header is sent. It omits
> the for loop and throws no exception!
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
