[jira] [Commented] (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XSD Files

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (AXIS2-4279) Local File Inclusion Vulnerability on parsing WSDL related XSD Files

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16266718#comment-16266718 ]

robert lazarski commented on AXIS2-4279:
----------------------------------------

Please move this question to the axis2 users mailing list, but first you will need to test any issues you have with the latest Axis2 version (1.7.x) as 1.5.1 has been long unsupported.

> Local File Inclusion Vulnerability on parsing WSDL related XSD Files
> --------------------------------------------------------------------
>
>                 Key: AXIS2-4279
>                 URL: https://issues.apache.org/jira/browse/AXIS2-4279
>             Project: Axis2
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.4.1
>         Environment: Tomcat 5.5
> Axis2 1.4.1
>            Reporter: Wolfram Kluge
>            Priority: Blocker
>             Fix For: nightly
>
>
> Hello
> i dont know if it is a vulnerability or it is an issue of missconfiguration.
> The problem occur by doing the following things,
> http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml
> i was able to get these files displayed by the web browser. Once i tried this,
> furthermore i was also able to get public and private keystore/truststore located in the WEB-IN dir as well.
> So please let me know if it is a missconfiguration, and tell me how i can configure more securely.
> If its a bug please let me also know!
> Thank you in advance!
> Wolfram



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]