[jira] [Commented] (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XSD Files

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XSD Files

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16266671#comment-16266671 ]

Sachin commented on AXIS2-4279:
-------------------------------

I am using Axis 1.5.1 and I am unable to reproduce the above vulnerability. My web browser always give message saying "resource not found".
I have configured Axis to disable REST, could this be the reason I am unable to manually exploit the vulnerability. Can someone please help here?

> Local File Inclusion Vulnerability on parsing WSDL related XSD Files
> --------------------------------------------------------------------
>
>                 Key: AXIS2-4279
>                 URL: https://issues.apache.org/jira/browse/AXIS2-4279
>             Project: Axis2
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.4.1
>         Environment: Tomcat 5.5
> Axis2 1.4.1
>            Reporter: Wolfram Kluge
>            Priority: Blocker
>             Fix For: nightly
>
>
> Hello
> i dont know if it is a vulnerability or it is an issue of missconfiguration.
> The problem occur by doing the following things,
> http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml
> i was able to get these files displayed by the web browser. Once i tried this,
> furthermore i was also able to get public and private keystore/truststore located in the WEB-IN dir as well.
> So please let me know if it is a missconfiguration, and tell me how i can configure more securely.
> If its a bug please let me also know!
> Thank you in advance!
> Wolfram



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]