[
https://issues.apache.org/jira/browse/AXIS2-4279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688125#action_12688125
]
Andreas Veithen commented on AXIS2-4279:
----------------------------------------
I think that the root cause of this problem is a change in r470928 [1] that
passes the value of the xsd parameter directly to getResourceAsStream. This is
of course not good, because it allows anybody to read any resource. The change
was done just before the 1.1 release and was related to AXIS2-1556. Note that
in the meantime the code has been moved to AxisService#printXSD.
[1]
http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_1/modules/kernel/src/org/apache/axis2/transport/http/ListingAgent.java?r1=453185&r2=470928&pathrev=470928
> Local File Inclusion Vulnerability on parsing WSDL related XYD Files
> --------------------------------------------------------------------
>
> Key: AXIS2-4279
> URL: https://issues.apache.org/jira/browse/AXIS2-4279
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: transports
> Affects Versions: 1.4.1
> Environment: Tomcat 5.5
> Axis2 1.4.1
> Reporter: Wolfram Kluge
> Priority: Blocker
> Fix For: 1.5
>
>
> Hello
> i dont know if it is a vulnerability or it is an issue of missconfiguration.
> The problem occur by doing the following things,
> http://localhost:8080/InsaneService/services/WSInsane?xsd=/../../../WEB-INF/conf/axis2.xml
> i was able to get these files displayed by the web browser. Once i tried
> this,
> furthermore i was also able to get public and private keystore/truststore
> located in the WEB-IN dir as well.
> So please let me know if it is a missconfiguration, and tell me how i can
> configure more securely.
> If its a bug please let me also know!
> Thank you in advance!
> Wolfram
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
