Uploaded image for project: 'Axis2'
  1. Axis2
  2. AXIS2-4279

Local File Inclusion Vulnerability on parsing WSDL related XSD Files

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • 1.4.1
    • nightly
    • transports
    • None
    • Tomcat 5.5
      Axis2 1.4.1

    Description

      Hello
      i dont know if it is a vulnerability or it is an issue of missconfiguration.

      The problem occur by doing the following things,

      http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml

      i was able to get these files displayed by the web browser. Once i tried this,
      furthermore i was also able to get public and private keystore/truststore located in the WEB-IN dir as well.

      So please let me know if it is a missconfiguration, and tell me how i can configure more securely.
      If its a bug please let me also know!

      Thank you in advance!
      Wolfram

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. AXIS2-4282 JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              wolframkluge Wolfram Kluge
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: