[
https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12689538#action_12689538
]
Detelin Yordanov commented on AXIS2-4279:
-----------------------------------------
Hi guys,
Don't you think that checking for .xsd extension is a way too restrictive?
It is perfectly possible that there are services out there, which import
schemas with different file extension (e.g. simply .xml). I would suggest the
following restrictions to apply:
1. Allow access only to files under META-INF
2. Allow access only to imported schemas/wsdls, for this to work one just needs
to verify whether the file to load is imported from any of the AxisService
schemas, or is contained in AxisService's importedNamespaces (contains WSDL
Imports).
What do you think?
Regards,
Detelin
> Local File Inclusion Vulnerability on parsing WSDL related XSD Files
> --------------------------------------------------------------------
>
> Key: AXIS2-4279
> URL: https://issues.apache.org/jira/browse/AXIS2-4279
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: transports
> Affects Versions: 1.4.1
> Environment: Tomcat 5.5
> Axis2 1.4.1
> Reporter: Wolfram Kluge
> Priority: Blocker
> Fix For: 1.5
>
>
> Hello
> i dont know if it is a vulnerability or it is an issue of missconfiguration.
> The problem occur by doing the following things,
> http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml
> i was able to get these files displayed by the web browser. Once i tried
> this,
> furthermore i was also able to get public and private keystore/truststore
> located in the WEB-IN dir as well.
> So please let me know if it is a missconfiguration, and tell me how i can
> configure more securely.
> If its a bug please let me also know!
> Thank you in advance!
> Wolfram
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
