[ https://issues.apache.org/jira/browse/AXIS2-5846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15999478#comment-15999478 ]
Andreas Veithen commented on AXIS2-5846: ---------------------------------------- The fix is included in the 1.7.5 release to be published this week. > Local file inclusion vulnerability in SimpleHTTPServer > ------------------------------------------------------ > > Key: AXIS2-5846 > URL: https://issues.apache.org/jira/browse/AXIS2-5846 > Project: Axis2 > Issue Type: Bug > Components: transports > Affects Versions: 1.6.2, 1.7.4 > Reporter: Nupur > Assignee: Andreas Veithen > Fix For: 1.7.5 > > > Defect CSCvd86595: Local file inclusion vulnerability in Axis2 > An defect has been raised on Present PCP 7.3 axis version > *There is a Local File Inclusion (LFI) present in the Axis2 service. It > allows the attacker to view certain files that would normally be > inaccessible. This is a violation of PSB requirement SEC-SUP-PATCH because > this is a publicly disclosed vulnerability with a patch. > *security impact: Some of the files that are accessible via this LFI contain > the username and password to the Axis2 admin interface. While the admin > interface appears to be disabled currently, if it was ever enabled or an > attacker found a way to access it, they would gain admin access to the Axis2 > system. > In addition, this vulnerability is publicly known, which makes it more likely > to be exploited by an attacker. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org