[jira] [Commented] (AXIS2-5882) Path Manipulation in WSDL20ToAxisServiceBuilder and PreProcessorInputStream

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (AXIS2-5882) Path Manipulation in WSDL20ToAxisServiceBuilder and PreProcessorInputStream

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/AXIS2-5882?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16161836#comment-16161836 ]

Donald Kwakkel commented on AXIS2-5882:
---------------------------------------

Thanks. I know a lot of static code analyzer detected issues are invalid. The other 50+ ones it found I did not log, but these two I doubt. Are you also sure about the second one that it can not be used as attack?

> Path Manipulation in WSDL20ToAxisServiceBuilder and PreProcessorInputStream
> ---------------------------------------------------------------------------
>
>                 Key: AXIS2-5882
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5882
>             Project: Axis2
>          Issue Type: Bug
>          Components: jaxws
>    Affects Versions: 1.7.6
>            Reporter: Donald Kwakkel
>            Priority: Critical
>              Labels: security
>
> Attackers can control the filesystem path argument to File() at PreProcessorInputStream.java line 218, which allows them to access or modify otherwise protected files.
> Explanation:
> Path manipulation errors occur when the following two conditions are met:
> 1. An attacker can specify a path used in an operation on the filesystem.
> 2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.
> For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.
> In this case, the attacker can specify the value that enters the program at readLine() in PreProcessorInputStream.java at line 86, and this value is used to access a filesystem resource at File() in PreProcessorInputStream.java at line 218, 230, 232, 250, 253, 278.
> Possible solution: Make sure the absolute filename is validated against known/configured valid base path.
> Also:
> Attackers can control the filesystem path argument to File() at WSDL20ToAxisServiceBuilder.java line 153, which allows them to access or modify otherwise protected files. In this case, the attacker can specify the value that enters the program at getHeaderField() in CodeGenerationEngine.java at line 101, and this value is used to access a filesystem resource at File() in WSDL20ToAxisServiceBuilder.java at line 153 and 1281.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]