DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16147>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16147 AxisFaults printed in GET ?wsdl messages vulnerable to cross site scripting attacks Summary: AxisFaults printed in GET ?wsdl messages vulnerable to cross site scripting attacks Product: Axis Version: current (nightly) Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: Deployment / Registries AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] The current CVS code only prints stack traces to the caller when the axis.development.system property is true, but if this problem existed before last week's changes (quite likely), then this problem may well exist in Axis1.0 too. 1. if you supply a service URL to the wsdl get with an invalid name and axis is configured as a development system (not the default), then you get the service string displayed in HTML. So this URL: http://localhost:8080/axis/services/<b>bold</b>?wsdl would result in bold being displayed in bold in the html response. It would take a lot of effort to use this to insert script into the page, but conceivable. Were that done the sole benefit would be to get at cookies, session theft, which doesnt make any sense in Axis on its own, as the caller is a SOAP call, not a user. But put axis in another webapp, or into a domain with shared cookies, and there is a security risk. fix: escape everything before displaying it.
