Hi, I noticed that Xalan version 2.7.0 is being distributed with the Axis2 1.7.3 binary release.
This version appears to have a rather serious security flaw which (if I am understanding things properly) can allow remote code execution. I guess I'm wondering if this is exploitable via Axis somehow? http://www.cvedetails.com/cve/CVE-2014-0107/ https://tools.cisco.com/security/center/viewAlert.x?alertId=34517 I've tried the approach indicated at ws-attacks below which I think is for this vulnerability, but run into exceptions I don't understand (and I'm also not a WS/XML/XSLT guru). http://www.ws-attacks.org/XML_Signature_%E2%80%93_XSLT_Code_Execution https://www.owasp.org/images/a/ae/OWASP_Switzerland_ Meeting_2015-06-17_XSLT_SSRF_ENG.pdf Thanks! -- Philip Lowman
