[jira] [Commented] (AXIS2-5846) Local file inclusion vulnerability in SimpleHTTPServer

Sun, 23 Apr 2017 05:47:23 -0700 

    [ 
https://issues.apache.org/jira/browse/AXIS2-5846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15980384#comment-15980384
 ] 

Hudson commented on AXIS2-5846:
-------------------------------

UNSTABLE: Integrated in Jenkins build Axis2 #3688 (See 
[https://builds.apache.org/job/Axis2/3688/])
AXIS2-5846: Fix a local file inclusion vulnerability in SimpleHTTPServer. This 
occurs because axis2server.sh adds the root directory of the binary 
distribution to the class path, and SimpleHTTPServer doesn't limit the search 
for XSD/WSDL files to the service class loader. This means that axis2.xml is 
accessible remotely via a specially crafted query string 
(xsd=../conf/axis2.xml).

Although AxisServlet is not known to be vulnerable, this change also modifies 
ListingAgent to limit the search to the service class loader. (veithen: rev 
1792353)
* (edit) 
axis2/modules/transport/http/src/org/apache/axis2/transport/http/HTTPTransportUtils.java
* (edit) 
axis2/modules/transport/http/src/org/apache/axis2/transport/http/HTTPWorker.java
* (edit) 
axis2/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java


> Local file inclusion vulnerability in SimpleHTTPServer
> ------------------------------------------------------
>
>                 Key: AXIS2-5846
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5846
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.6.2, 1.7.4
>            Reporter: Nupur
>
> Defect CSCvd86595: Local file inclusion vulnerability in Axis2 
> An defect has been raised on Present PCP 7.3 axis version 
> *There is a Local File Inclusion (LFI) present in the Axis2 service. It 
>   allows the attacker to view certain files that would normally be 
> inaccessible. This is a violation of PSB requirement SEC-SUP-PATCH because 
> this is a publicly disclosed vulnerability with a patch. 
> *security impact: Some of the files that are accessible via this LFI contain 
> the username and password to the Axis2 admin interface. While the admin 
> interface appears to be disabled currently, if it was ever enabled or an 
> attacker found a way to access it, they would gain admin access to the Axis2 
> system. 
> In addition, this vulnerability is publicly known, which makes it more likely 
> to be exploited by an attacker. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to