[jira] [Commented] (AXIS2-5846) Local file inclusion vulnerability in Axis2

Sun, 23 Apr 2017 04:07:33 -0700 

    [ 
https://issues.apache.org/jira/browse/AXIS2-5846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15980360#comment-15980360
 ] 

Andreas Veithen commented on AXIS2-5846:
----------------------------------------

As far as I can see this occurs only with SimpleHTTPServer, not with 
AxisServlet. Since the admin console isn't supported with SimpleHTTPServer, the 
user name and password exposed isn't actually used, and an attacker wouldn't be 
able to gain any additional privileges.

Also note that (at least in my opinion) SimpleHTTPServer shouldn't be used in 
production systems. Probably we should replace that code with an embedded Jetty 
server and use AxisServlet.

> Local file inclusion vulnerability in Axis2
> -------------------------------------------
>
>                 Key: AXIS2-5846
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5846
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.6.2
>            Reporter: Nupur
>            Priority: Critical
>
> Defect CSCvd86595: Local file inclusion vulnerability in Axis2 
> An defect has been raised on Present PCP 7.3 axis version 
> *There is a Local File Inclusion (LFI) present in the Axis2 service. It 
>   allows the attacker to view certain files that would normally be 
> inaccessible. This is a violation of PSB requirement SEC-SUP-PATCH because 
> this is a publicly disclosed vulnerability with a patch. 
> *security impact: Some of the files that are accessible via this LFI contain 
> the username and password to the Axis2 admin interface. While the admin 
> interface appears to be disabled currently, if it was ever enabled or an 
> attacker found a way to access it, they would gain admin access to the Axis2 
> system. 
> In addition, this vulnerability is publicly known, which makes it more likely 
> to be exploited by an attacker. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Reply via email to